Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "what is Cookie Cross-Domain and CORS Protocol". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

A normal Cookie can only be shared in one application, that is, an Cookie can only be obtained by the application that created it. The main purpose of realizing the cross-domain of Cookie is to unify the application platform and realize the requirement similar to single sign-on.

What is cross-domain?

By cross-domain, it means to cross the same origin policy of the browser.

Homology refers to three identical:

Same agreement

Same domain name

Same port

Violations of the same origin policy have the following restrictions:

Cookie, LocalStorage, IndexDB cannot be obtained

DOM is not available

AJAX request cannot be sent

CORS solution cross-domain

What is CORS?

In 2014, the W3C released CORS Recommendation to facilitate resource sharing. By default, browsers do not carry Cookie for cross-domain requests. However, in view of the importance of Cookie in authentication and other aspects, CORS recommends using additional response header fields to allow cross-domain Cookie to be sent. Therefore, CORS is essentially a set of specifications specified by W3C. Mainstream browsers determine whether cross-domain Cookie is allowed by looking at the protocol headers returned by the server.

Implement CORS

The key to realize CORS communication is the server. As long as the server implements the CORS interface, cross-domain communication can be achieved.

It mainly involves the following protocol headers:

Access-Control-Allow-Origin:*

This field is required, and its value is either the value of the Origin field at the time of the request or a *, indicating that the request for any domain name is accepted

Access-Control-Allow-Credentials:true

This field is optional, and its value is a Boolean value indicating whether Cookie is allowed to be sent. By default, Cookie,Cookie is not included in the CORS request. Set to TRUE, which means that the server is explicitly licensed, and Cookie can be included in the request.

Access-Control-Expose-Headers:,... .

By default, only seven simple response headers (simple response headers) can be exposed to the outside world: Cache-Control,Content-Language,Content-Length,Content-Type,Expires,Last-Modified,Pragma. If you want the client to have access to other first pieces of information, you can list them in Access-Control-Expose-Headers.

Access-Control-Request-Method:

This field is required, in response to the first Access-Control-Allow-Methods, to make clear the list of methods or methods allowed for the resource to be accessed by the client.

Access-Control-Request-Headers:,... .

The request header Access-Control-Request-Headers is used to tell the server which request headers will be used in the real request.

Access-Control-Allow-Headers:,... .

This field is required to allow which request headers can cross domains

This is the end of the content of "what is the Cookie Cross-Domain and CORS Protocol". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.