How does same-domain policy work for popup windows when the URL is set to run JavaScript?

Question

I want to do something like this:

var w = window.open("javascript: makeAnAjaxRequest();");

My question is, would the Ajax request (executed once the new window opens) be considered a cross-site request? Does the same-domain policy apply to the original domain whose page created the window?

In resposne to some of your comments:

someAjaxFunction() just has to make an Ajax request and be able to operate on the result. I understand that the function has to be defined in the window I am opening. No problem; I have a minified ajax function that I am using which I can inject into the URL as well. The point is to see what the limitations are of the request; i.e., under which domain will the same-domain policy be applied to?

Answer 1

Some info from google: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access

With no additional qualifiers, the term "same-origin policy" most commonly refers to a mechanism that governs the ability for JavaScript and other scripting languages to access DOM properties and methods across domains (reference). In essence, the model boils down to this three-step decision process:

If protocol, host name, and - for browsers other than Microsoft Internet Explorer - port number for two interacting pages match, access is granted with no further checks. Any page may set document.domain parameter to a right-hand, fully-qualified fragment of its current host name (e.g., foo.bar.example.com may set it to example.com, but not ample.com). If two pages explicitly and mutually set their respective document.domain parameters to the same value, and the remaining same-origin checks are satisfied, access is granted. If neither of the above conditions is satisfied, access is denied.

Info from Mozilla

I can not access the properties of the new secondary window. I always get an error in the javascript console saying "Error: uncaught exception: Permission denied to get property . Why is that?

It is because of the cross-domain script security restriction (also referred as the "Same Origin Policy"). A script loaded in a window (or frame) from a distinct origin (domain name) cannot get nor set properties of another window (or frame) or the properties of any of its HTML objects coming from another distinct origin (domain name). Therefore, before executing a script targeting a secondary window, the browser in the main window will verify that the secondary window has the same domain name. More reading on the cross-domain script security restriction: http://www.mozilla.org/projects/secu...me-origin.html

So your answer is

1. So, if the protocol and hostname and port match for all browsers but IE, it's the same domain
2. If the protocol and hostname match for IE, it's the same domain

Otherwise, you are restricted.

EDIT - real answer

window.open('javascript:doFunction()') would not do anything except open a new blank window which fails to do anything because doFunction is not defined. It needs to be defined in the same window.

Sidenote I can do the same-origin xhr request by injecting the ajax into the url directly, but it's still susceptible to the same-domain policy.

x = window.open('javascript:x = new XMLHttpRequest; x.open("GET", "http://medero.org", false); x.onreadystatechange = function(){ if ( x.readyState != 4 ) { return; }; alert(x); alert( x.responseText );}; try {x.send(null); } catch (e) { alert(e)}; alert("ok"); ');

It fails in Firefox. And I haven't tested it in MSIE yet. But

Tests:

(failure) Chrome 7 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://google.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
TypeError: Cannot read property 'body' of undefined

(success) Chrome 7 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
"test"

(failure) Firefox 3.6 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://google.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
Permission denied for <http://stackoverflow.com> to get property Window.document from <http://www.google.com>.

(success) Firefox 3.6 ( console ) from http://stackoverflow.com:80

>>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300')
>>> x.document.body.innerHTML='test';
"test"

(failure) Firefox 3.6 ( console ) from http://stackoverflow.com:80

$.ajax({
   url:'http://bing.com',
   success:function(data) {
      alert(data) // blank alert
   }
})

(success) Firefox 3.6 ( console ) from http://stackoverflow.com:80

$.ajax({
   url:'http://stackoverflow.com',
   success:function(data) {
      alert(data) // success
   }
})