This is my 26th day in the golden day project, the february change challenge
Introduction
If you are not aware of cross-domain and co-source strategies, you can look at the first one, with the following links: what is cross-domain — 1. What is the world without it? - excavation (juejin. Cn)
Let's look at what jsonp means: json with padding, and the function that wraps it outside of json's data is a “use mode” of json in the information format that allows web pages to access information from other domains. In the summer of 2005, george jempty suggested the optional addition of variables to json. Bob ippolito presented the original jsonp proposal in december 2005, the fill of which is already a back-to-back function, and there are now many web 2. 0 applications using the proposal, such as the dojo toolkit application, google webtoolkit application and web service。
Jsonp's network of officials: json-p. Org/
2. Rationale
Generally uncommunicable from different sources, but sThe cript element is an exception, for example, the most common one we introduce to outside jquery, not just sCript, which also includes an img tag src, or lThe href of the ink tags are not restricted by the same source strategy. When linked resources reach the browser, the browser uses different treatments depending on their type, e. G., if css files, repaint the page, or if img, repost the picture, if sCript scripts are executed, like when we introduced the jquery library on the page, why can we use it? It's because when the jquery library is executed by the browser, it adds a attribute to the global object window: ok? Because when the jquery library is executed by the browser, it adds a attribute to the global object window: what about it? Just because the jquery library is executed by the browser will add a attribute to the global object window: so we can use $$ for all kinds of processing. Also, why would csss normally be on the head, while js scripts are on the tail of the body to reduce the number of repaints, and because js engines are carried out on a one-way basis, if js scripts were placed on the head, it would cause the page to be paused when js engines were performing js codes. And jsonp used itCript tags can be linked to js scripts from different sources to cross-domain purposes, and web pages can be used to generate json information from other sources, which is known as jsonp. It's not json, it's javasI don't know。
Let's see one example:
Frontend
SCript Src="https://cdnjs. Cloudflare. Com/ajax/libs/jquery/2. 2. 2/jquery. Js">SCript> SCript>
Funcing TestI'm sorryDataOther organiserOh, consoleI'm sorry.Log(data);}SCript>
SCript Src="http://localhost:3000/? Fun=test">SCript>
Backend: (nodejs for example)
ConstHttp =I'm sorryI'm sorry'http';ConstQuerystringI'm sorryI'm sorry'querystring';
photo from http://www. Flickr. Com.♪ create server ♪I'm sorryI'm sorry♪ req, rees ♪== sync, corrected by elderman ==Other organiser//retrieving pass parameters after url, processing objects
VarQuerystring.I'm sorry(req.).UrlI'm sorry.SplitI'm sorry"what)One(a) the following:;Oh, consoleI'm sorry.Log(urlc);
i don't know.WriteheadI'm sorry200,{"content-type":"text/HTML;charset=utf-8"♪ i'm not sure ♪VarData1 = {Name:'ili'♪ i'm sorry ♪// res. Write (data1);
// convert the object to a json string, and then execute the function to pass it out and throw out the code to execute the external connection。Data1 =JsonI'm sorry.I'm sorry(data1);LetCallback =`I'm sorryI'm sorryI'm sorry);
i don't know.End(callback).ListenI'm sorry3000I don't know,(♪)Other organiserOh, consoleI'm sorry.LogI'm sorry"the service runs on the 3,000 port at http://localhost:3000."I'm not sure.
♪ i'm not sure ♪The backend corresponds to the return of a js code, with a callback function at the front end to receive and then perform the js function, which may be pure data or some operation。
To start a jsonp call (or use this mode), you need a sCript element. Therefore, the browser must add (or reuse) a new src for each jsonp requirementThe cript element is in HTML dom - or "injection" of this element. Browser executes this element, captures urls in src and executes javasI don't know. And because of that, jsonp is called a "user-uses"The way the cript element is injected is by circumventing the co-source strategy”。
3. Summary
As can be seen from the figure above, this cross-domain is simply a solution to cross-domain problems between the front end and the server. It can also address cross-domain problems with front-end and front-end pages through the server. It cannot directly execute front-end cross-domain problems, such as the problem of one page reading and operating another page data. And because it's usedCript labels, so only get requests are supported。
Use of remote website sCript tags allow remote sites to inject anything into them. If there's javas on the remote siteCript injected holes and the original website was affected。
The rough jsonp deployment was vulnerable to cross-site requests for forgery (csrf/xsrf). Because of HTML's sCript tags do not follow the homolog strategy in browsers, and malicious web pages can request and access json information belonging to other websites. When the user is accessing the other site, this situation allows the malicious website to operate the json information in the context of the malicious website, which may reveal the user's password or other sensitive information。
This approach requires the development of client and service customization, and the data returned by the service cannot be standard jason data, but data from the callback package. Fewer projects should now be used, except for older ones。
