html summary

1.html entity 轉換

显示结果 描述 实体名称 实体编号(10進制&16進制)
空格    ( )
< 小于号 &lt; &#60;(&#x3C;)
> 大于号 &gt; &#62;(&#x3e;)
& 和号 &amp; &#38;(&#x26;)
双引号 &quot; &#34;(&#x22;)
单引号 &apos; &#39;(&#x27)

2.cache
#don’t use cache:
cache-control:no-store
cache-control:no-cache
(redo anything no matter what)
#use cache
cache-control:max-age:[second]
expires: [date]
cache-control:public
cache-control:private
validation:
(1) if set expires or max-age, and the cache is still fresh, browser will load the file direct from cache,without making a request.
(2) if browser can not load cache from local, it will send request to server to validate whether the cache is still fresh,if yes,return 304 , or  handle the request.
last-modified/if-modified-since
Etag/if-none-match
(3)if no caches are available, browser will send request to  server

3.same origin policy & cors
ref:
https://web-security.guru/en/web-security/same-origin-policy
http://www.ruanyifeng.com/blog/2016/04/cors.html
https://enable-cors.org/

sop:
same protocol
same domain
same port
we can load  img ,video,script etc from other domain,but we can’t
(1)Reading Ajax responses via XMLHttpRequest and fetch from another origin
(2)Reading and writing the Document Object Model (DOM) of another origin
(3)Reading and writing stored data (Cookie, session & local storage) of another origin

cors:
create a white list to allows one origin to access resources from another origin.
It can not secure your content , but it can protect innocent user from running scripts in a malicious website.  Because the malicious website does not in the  Access-Control-Allow-Origin.
if u want to share your content to other origin, also keep confidential,u can use Oauth2