The story behind cross-domain (a) - same-origin policy

“This is the third day of my participation in the Gwen Challenge.

Links to jump

We are playing with a mobile phone, every day looking at numerous data resources, can find pleasure of information, especially the short video platform fire, a multitude of knowledge, links, more and more resources, such as WeChat someone sent you a link, is to get to B stand to look at the funny video, or maybe go to jingdong mall see a gift, but the resources the story behind the jump, In case you don’t know, Luca takes you through the veil behind the link

URL Uniform resource locator

All resources on the Internet are simply accessed through urls, which act as an address that takes you to the location of the resource.

On the WWW, each information Resource has a Uniform and unique address on the Internet. This address is called a Uniform Resource Locator (URL). It is the Uniform Resource Locator of the WWW, which refers to the network address.

URL composition:

It consists of four parts: protocol, host, port, and path

Are the resources of wechat and B different?

Simply put, the DNS system matches different hosts with different port numbers

WeChat: https://mp.weixin.qq.com/s/HbzLEt6NOP9Is9F3GOnbUQ

Bilibili:https://www.bilibili.com/video/BV1LA411g7Qt

Domain name DNS, is we are familiar with the abbreviation of the website product as a keyword, instead of a fixed host IP address operation.

For example

Xiao Ming play, I’m going to find a school without the DNS, I want to go to the classroom to find him, because xiao Ming and I are classmates, but if their relatives to find him, will go to the teacher in charge, the teacher in charge’s identity is the domain name resolution (DNS), but the teacher in charge told him in class three, grade five, the third floor on the right side of the first classroom, can find xiao Ming.

Without further ado:

It is because of the protocol, host, port to distinguish resources, resulting in resources can be parsed and shared internally, but other websites may not know, at this time will appear a new protocol;

Browser, feedback is used to show server to the client data to demonstrate tools, is mainly to identify multiple link URL, for example, we login jingdong mall shopping, but after the login, it can use all the time, there are cookies this work, if there is a malicious web site like jingdong name, you have access to, Could be tampering with the information in your cookie, or not?

The answer is no, because browsers have a particularly important security mechanism, the same origin policy:

For example, if there is no same-origin policy, after visiting Jingdong, after buying things and transferring money, he opens a website B. If B is a phishing website, he can access and modify any data in JD through JS without the restriction of same-origin policy. (To put it bluntly, judge if it’s one of us)

Same-origin policy :(SOP)

The Same Origin policy is a convention. It is the core and most basic security function of the browser.

The same origin policy is a behavior of the browser to protect local data from being contaminated by data retrieved by JavaScript code. Therefore, the same origin policy intercepts data received from the client. That is, the request is sent and the server responds, but the browser cannot receive the request

nature

If both pages have the same protocol, port (if specified), and domain name, then both pages have the same source.

For example https://www.bilibili.com/video

URL	Whether the same	why
https://www.bilibili.com/video	is
https://www.bilibili.com/li’ke	is
http://www.bilibili.com/video.html	is	Agreement is different
https://www.bilibi.com/video	no	Domain name is different
https://www.bilibili.com：8080/video	no	Different port numbers

Mainly reflected

Client scripts from different sources cannot read or write to each other’s resources without explicit authorization. So js scripts under xyz.com that use Ajax to read abc.com files will be rejected.

Conclusion:

The same origin policy restricts how documents or scripts loaded from the same source can interact with resources from another source. This is an important security mechanism for isolating potentially malicious files.

Because the browser supports the same origin policy, so we need to access other resources, cross-domain operation, can use CORS,jsonP, etc., the next issue will be updated, come on,

I’m Luca, and it’s been a full day, ollie.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

The story behind cross-domain (a) —– same-origin policy

URL Uniform resource locator

Are the resources of wechat and B different?

Same-origin policy :(SOP)

nature

Mainly reflected

Conclusion:

The story behind cross-domain (a) —– same-origin policy

URL Uniform resource locator

Are the resources of wechat and B different?

Same-origin policy :(SOP)

nature

Mainly reflected

Conclusion:

Related Posts

Do not understand the generic, how to install force, a piece of the generic said clearly, arrangement!!

From building to using, the evolution of ali Cloud’s original micro-service ecology

Some best practices for file IO operations