Things were really simple when webpages were static. Write some text, add images, add links and serve it to your users.
Same Origin Policy
moth.example.com: Ayy bruh! Can I fetch
lamp.example.com real quick?
Now lets see which pages can be accessed by
|https://moth.example.com/dir/moth.html||Successs||Same Host, Port, Protocol|
Cross Origin Resource Sharing
Things were secure again but it raised a problem, a big one. This restriction was applied to stop bad guys for making cross domain requests but it was no longer possible to make requests from
To make things good again, they introduced something called Cross Origin Resource Sharing. The idea was simple, let developers choose whom they want to share their resources with. If the developers wants share data between
goodGirl.example.com, let him do so.
For this purpose, he will need to setup a new header on
goodGirl.example.com as follows:
How CORS works?
Step 1. You visit
goodBoy.example.com in your browser
Step 2. The website tries to load data from
Step 3. Your browser makes a request to
goodGirl.example.com returns the response including the following HTTP header:
Step 5. Browser checks if
goodBoy.example.com is allowed
A guy suggested to standardize another header with the name
He was beaten up by asians because the header name was too long ;)
Well, instead of using a seperate header this time, they decide to use a file named
crossdomain.xml which should be located in root of the host just like
https://facebook.com/crossdomain.xml for example:
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="master-only" /> <allow-access-from domain="static.xx.fbcdn.net" /> <allow-access-from domain="static.connectproject.org" /> <allow-access-from domain="static.whatsapp.net" /> <allow-access-from domain="static.0.facebook.com" /> <allow-access-from domain="static-0.facebook.com" /> <allow-access-from domain="z-1-static.xx.fbcdn.net" /> <allow-access-from domain="z-m-static.xx.fbcdn.net" /> <allow-access-from domain="z-p3-static.xx.fbcdn.net" /> <allow-access-from domain="z-p4-static.xx.fbcdn.net" /> <allow-access-from domain="static.facebook.com" /> <allow-access-from domain="static.xx.fbcdn23dssr3jqnq.testonion" /> <allow-access-from domain="static.xx.fbcdn23dssr3jqnq.onion" /> <allow-access-from domain="xwf-static.xx.fbcdn.net" /> </cross-domain-policy>
It’s similar to the
Access-Control-Allow-Origin, when a web client is running in your browser and it tries to make request to some another domain,
your browser checks if that domain’s
crossdomain.xml specification allows that.
So yeah, that’s pretty much it.
Also, Marvel is better than DC.