官术网_书友最值得收藏!

  • CORS Essentials
  • Rajesh Gunasundaram Randall Goya
  • 273字
  • 2021-07-09 19:53:41

Commonly allowed cross-origin resource sharing

The same-origin policy is not required for many resources that may be embedded in cross-origin. The sharing of specific file types is limited by file type headers and ensuring that the file extensions and file meta data match the expected type.

DOM elements allowed for cross-origin sharing

The following information box displays scenarios where DOM elements are allowed for cross-origin sharing:

Note

Images with the <img> tag, as long as the file type matches expected image formats.

Media files with the <video> and <audio> tags as long as the file type matches expected media formats.

JavaScript with the <script src="..."></script> tag. This method is used by many third-party applications, which embed a script to act upon the local resources, for example, a social media sharing service that analyzes the shareable images and other assets on current page and reads the URI.

CSS with the <link rel="stylesheet" href="..."> tag. Cross-origin CSS requires a correct content-type header. Client.

Plugins with the <applet>, <object> and <embed> tags.

Fonts with @font-face. Support for this method varies by client browser.

Any content or URI loaded with the <frame> and <iframe> tags.

Tip

The X-Frame-Options header can prevent interaction between frames on different domains.

Allowing cross-origin sharing in WebSockets

The ability of WebSockets to bypass the same-origin policy is seen as a security risk. Using WebSockets on a gateway/server that supports origin-based security provides header-based security similar to CORS.

Limited cross-origin JavaScript API access

JavaScript APIs, such as iframe.contentWindow, window.parent, window.open, and window.opener, provide limited cross-origin access to the Window and Location objects. Some browsers permit access to more properties than the specification allows. You can use window.postMessage instead to communicate between documents in separate windows.

主站蜘蛛池模板: 广河县| 三门峡市| 遂昌县| 甘德县| 阜宁县| 黑水县| 淅川县| 榆社县| 新安县| 阜新市| 桑植县| 获嘉县| 灵璧县| 化隆| 吉隆县| 大石桥市| 鱼台县| 商丘市| 青岛市| 彭水| 廊坊市| 麻栗坡县| 宜宾县| 吴旗县| 保靖县| 金堂县| 永修县| 弋阳县| 博爱县| 灵山县| 丰顺县| 谷城县| 崇左市| 讷河市| 呼玛县| 襄垣县| 八宿县| 郑州市| 浪卡子县| 荆门市| 揭东县|