Same Origin:
1) Application layer protocol (http, https)
2) Domain name (www.abc.com)
3) TCP port (80, 8080)
of the HTML document running the script, all of them must be the same!
- Exception:
1) include scripts across domains
2) submit POST forms to another domain
- Check:
1) XMLHttpRequest
2) Script Get
- Solutions:
1) Proxy: do the cross domain calling on the server-side and return the result back to front-end.
2) document.domain + IFrame: set document.domain to the same domain (must be under the same parent domain), then through IFrame to communicate.
3) cookie: set cookie to the same domain and fetch them (must be under the same parent domain).
4) IFrame + hash: set Iframe’s src and attach parameters to the Url, usually can do it by the location.hash (no need to refresh page).
5) JSONP: use <script/> tag to pull cross domain script string back and execute it
<script id=”crossdomainscript” type=”text/javascript”> </script>
document.getElementById(“crossdomainscript”).setAttribute(“src”, url)
6) window.name: its value will maintain even the page is refreshed to another domain’s url. So we can:
a. open domain A page.
b. set iframe src to domain B and set window.name a value
c. set iframe src back to domain A (any page is OK, we do this because we can only access the iframe in the same domain)
d. fetch the value through window.name: document.getElementById(‘iframe1′).contentWindow.name