The Same Origin policy prevents scripts from reading or modifying the current source object from different sources. It is the core and most basic security feature of the browser.
1 Cognate judgment rule
If the domain name or IP address, port, and protocol are the same, it is considered to be the same origin.
If you have a URL like http://www.deniro.net, compare the urls in the following table to see if they are the same origin:
| URL | Whether the same | why |
|---|---|---|
http://www.deniro.net/welcome.html |
homologous | – |
https://www.deniro.net/welcome.html |
Different source | Agreement is different |
http://www.deniro.net:8080/welcome.html |
Different source | Different port numbers |
http://book.deniro.net/welcome.html |
Different source | Domain name is different |
2 Load resources across domains
The full name of CDN is Content Delivery Network. CDN is a content distribution network built on the network. Relying on the edge servers deployed in various places and through the function modules of load balancing, content distribution and scheduling of the central platform, users can obtain the content they need nearby, reduce network congestion and improve user access response speed and hit ratio.
When these tags load resources, the browser issues a Get request to Get those resources. However, when loading JavaScript, the permissions to read and write returned content are limited.
3 the XMLHttpRequest object
The XMLHttpRequest object can exchange data with the server. The specific functions are as follows:
- Update a web page without reloading the page.
- Request data from the server after the page has loaded.
- Receives data from the server after the page has been loaded.
- Sends data to the server in the background.
For security, the XMLHttpRequest object, by default, cannot access resources across domains, so be careful in Ajax development
4 XMLHttpRequest Cross-domain access standard
Browsers use the ACCESS-Control-Allow-Origin header returned by the target domain to determine whether to Allow cross-domain Access, because JavaScript cannot manipulate HTTP headers.
