同源策略形象解读(Image interpretation of homologous strategy)
The protocol, domain name and port of the two URLs are the same, that is, the homologous URL
An important browser security policy, which is used to restrict how an origin document or its loaded script can interact with resources from another source.
In order to ensure the security of user information and prevent malicious websites from stealing data
The same origin policy restricts sites from different sources from reading cookies, indexdb, localstorage and other data of the current site
The same origin policy restricts the sending of site data to different origin sites through XMLHttpRequest and other methods
If there is no consequence of homologous strategy
- Hackers send you a phishing website with embedded < iframe > of QQ official website and full length and width. As like as two peas, the website is exactly the same as the QQ official website.
- You look at it, click in foolishly, and enter your user name and password
- Because the JS of the main website can directly access the DOM node of another source in < iframe >, that is, the form of the QQ official website can be obtained by JS
- JS get your form data (account password) and send it to the background
- Your number is gone
- As like as two peas, you get a password, and the hacker sends you a phishing website, which contains QQ’s
- You open this page, because you have logged in to QQ in the browser before, and the cookie is still saved. You can log in without entering a password
- You’re secretly proud that you didn’t enter the password. It’s safe
- JS obtains cookies from different sources in < iframe > and sends them to the background
- Your number is gone again
- You get your password back again, and the hacker sends another phishing website.
- Hackers swear that there is no official QQ website, just a blog built by themselves
- Kind you opened it again. It’s really an ordinary blog. I thought hackers would correct their mistakes
- JS sends an Ajax request to the QQ official website of different sources. The request will bring the local cookie by default. You can log in successfully, and the returned response data will be sent back to the background
- Your number is still gone