Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Check if same origin policy applies

Tags:

Is there a "safe" way to check if the same origin policy applies to an URL before actually trying to use ajax methods? Here is what I have:

function testSameOrigin(url) {      var loc = window.location,         a = document.createElement('a');      a.href = url;      return a.hostname == loc.hostname &&            a.port == loc.port &&            a.protocol == loc.protocol; } 

This sort of works, but it’s kind of a manual guess based on the wikipedia article. Is there a better way of pre-checking cross domain allowance? jQuery is OK to use.

like image 337
David Hellsing Avatar asked Feb 22 '12 23:02

David Hellsing


People also ask

Where is same-origin policy implemented?

It is implemented on the browser level to guarantee no unauthorized cross-origin communication that could lead to a malicious script on one website obtaining access to sensitive data on another.

Is same-origin policy enabled by default?

Hence the name same-origin policy. The same-origin policy is active by default and most browsers provide good error messages when actions cannot be executed because of same-origin policy issues. For instance, the following script defines an illegal cross-origin HTTP request.

Do cookies follow same-origin policy?

Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin. Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix.

What is same-origin policy in API?

For networking APIs, the same-origin policy distinguishes between sending and receiving information. Broadly, one origin is permitted to send information to another origin, but one origin is not permitted to receive information from another origin.


1 Answers

Is there a "safe" way to check if the same origin policy applies to an URL before actually trying to use ajax methods? Here is what I have:

function testSameOrigin(url) {      var loc = window.location,         a = document.createElement('a');      a.href = url;      return a.hostname == loc.hostname &&            a.port == loc.port &&            a.protocol == loc.protocol; } 

This is a safe and reliable way of doing it, provided you are doing (or rather not doing) certain things.

This sort of works, but it’s kind of a manual guess based on the wikipedia article.

This should fully work under the "normal" circumstances. It will need to be modified if you are planning to use cross-domain scripting.

If you modify document.domain in your scripts, for example from "foo.example.com" and "bar.example.com" to "example.com" your testSameOrigin function would return false for "http://example.com", where in fact it should return true.

If you are planning on modifying document.domain, you can add simply add a check for that in your script.

If you are planning on using CORS (see the link above) to allow cross-domain communication, it will also return a false negative. But if you are using CORS, you will have a list of domains that you can communicate with, and you can add that list to this function as well.

Is there a better way of pre-checking cross domain allowance? jQuery is OK to use.

Probably not, although it may be worth mentioning that what you are seeing in the console from Steve's answer might be the "observer's dilemma" ... Those errors look like they are resulting from the console trying to inspect the other window, not necessarily from the script.

Assuming you're not messing with document.domain or using CORS, your original solution is probably better, as it doesn't need to make an extra request to determine whether the server is available or not. Even if you are doing some cross-domain scripting, modifying the function you have now to accommodate it is probably your best bet.

like image 132
Dagg Nabbit Avatar answered Sep 29 '22 21:09

Dagg Nabbit