cross origin communication (cors)
Post on 09-Jul-2015
495 Views
Preview:
DESCRIPTION
TRANSCRIPT
unlockingthesecrets
don'tmakecross-originrequests
ProtectionforserverProtectionforclients
Netscapedays-1999?RFC6454
64546454
Allbrowsers:javascript*java*flash
There'sIE,andthenthere'severyoneelse...
<scriptsrc="..."/><img/videosrc="..."/><ahref="..."/>formsubmissioniframeembeddedpages
Javascriptcannotbeusedtoaccessmostiframeproperties/content
e.g.:bankingappw/ads
HTML5WebMessaging(window.postMessage)
WebMessaging(traditionalendpoint)303redirect(S3endpoint)
Javascriptaccesstoproperties,andtheabilitytoexport.
e.g.modifyinganimage&cachingit
1. crossoriginattribute&Access-Control-Allow-Originheader(CORS)2. Proxying
*Browserswillsimplynotsendanycross-originrequest
e.g.mini-stackoverflow
CORSspecJSONP
Allowsforcross-originajaxrequests:serversmustopt-infullsupportinallmodernbrowsersIE9/8havepartialsupportnosupportforIE7&older
XMLHttpRequestmethods:GET,POST,HEADheaders:Accept,Accept-Language,Content-Language,Content-TypeContent-Type:text/plain,application/x-www-form-urlencoded,multipart/form-datarequestincludesanOriginheaderresponsemustincludeanAccess-Control-Allow-OriginheaderresponseoptionallyincludesAccess-Control-Expose-Headers
XDomainRequestIE8-9methods:GET,POST,HEADcannotsendANYheaders!requestincludesanOriginheaderresponsemustincludeanAccess-Control-Allow-Originheadernoaccesstoresponseheadersnoaccesstoresponsestatus
browser-preflightedXMLHttpRequestmethods:DELETE,PUTorGET/POSTw/non-simpleheadersorContent-Typebrowser "preflights" request (OPTIONS) w/ Origin, Access-Control-
Request-Method,&Access-Control-Request-HeadersheadersservermustrespondwithAccess-Control-Allow-Origin,Access-Control-
Allow-Methods,&Access-Control-Allow-Headersheadersbrowserthensendstheoriginalrequestw/Originheaderservermustrespondw/Access-Control-Allow-Originheader
Notsupported,butworkaroundsavailableforsomecases:DELETE/PUTmethod->POSTw/_methodparam
XDomainiframelibrary
top related