The first thing to understand is that cross-site and cross-domain are different. Same-site, cross-site, and first-party, third-party equivalent. However, the concept of same-origin and cross-origin is completely different from that of the browser SoP.
The same origin policy means that the protocol of the two URLs is the same hostname port. For example, its protocol is https and its hostname is wwwtaobao.com, port is 443. As the cornerstone of browser security, the same-origin policy is relatively strict in its same-origin judgment, relatively speaking, the same-origin judgment in cookies is relatively relaxed: as long as the ETLD+1 of the two URLs is the same, there is no need to consider the protocol and port. where ETLD stands for a valid top-level domain and is registered on a public suffix list maintained by Mozilla, for example, .com、.co.uk、.github.io etc. ETLD+1 means a valid top-level domain + second-level domain name, e.g. taobaocom etc.
To give a few examples, wwwtaobao.com and wwwbaidu.com is cross-site, www.coma.taobao.com and wwwb.taobao.com is the same station, agithub.io and bgithub.io is cross-site (note that it's cross-site). 
For browsers Same-origin policy protocol, domain name (subdomain, primary domain name), port number to prevent XSS, csrf and other REST requests to restrict cookies, localstorage, indexeddb and other stored content (sessionstorage and browser window related) DOM node AJAX request sent, the result is blocked by the browser (can be sent, Just blocked by the browser) The same-origin policy is that the browser checks the loaded resource before it receives it, and then restricts the loading. POST requests are not allowed: Options requests are sent before POST requests are sent, and the HTTP response status code is 403 (Forbidden). A GET request is allowed: The HTTP response status code is 200, but the data returned by the server cannot be read.
Cross-domain via JSONP (only get request; Similar to the eval principle; Good compatibility).
2、 document.domain + iframe cross-domain.
3、 location.hash + iframe
4、 window.name + iframe is cross-domain.
5. Postmessage cross-domain.
6. Cross-Origin Resource Sharing (CORS).
7. nginx ** cross-domain.
8. NodeJS middleware is cross-domain.
9. WebSocket protocol cross-domain.
The web front-end defines a function for obtaining cross-origin response data in advance, and initiates a get request through a script tag without homologous policy restrictions (put the name of the **function into the query parameter of this request), and then the server returns the execution of this **function (similar to the eval function), and puts the data that needs to be responded to into the parameters of the **function, and the script tag of the front-end will be executed immediately after requesting this executed **function. So you get the response data for the execution.
Hypothetic & non-epithecal perspectives.
Client request const result = await axiosget('');server appget('/test-get', function (req, res) )Server display.
Browser display.
Suppose there are two sub-projects, they need to share the same user system, how to ensure that the page is closed and the other project user is still logged in?
Two sub-projects must not be the same domain name.
Cross-domain with the same parent ->cookie domain path, different parent domain ->sso
cookie storage -> iframe reference link.