Menu
Maybe some of you can help me get a better understanding of the javascript same origin policy.
The same origin policy is defined as following (http://en.wikipedia.org/wiki/Same_origin_policy):
In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.
I have deployed a GWT application to the Google App Engine with url
http://metalsandstocks.appspot.com
Since GWT compiles all java into javascript this means my app is deployed as javascript. Since this is an ajax application I assumed that it would be required to abide by the same origin policy. The app uses ajax to make calls to a different domain(http://finance.yahoo.com)in order to get real-time stock quotes for dispaly to the user. The app works as described yet it has a different domain than the one it calls for it's updates. Does this app violate the same origin policy? Why or why not?
518
asked May 03 '11 00:05
The same-origin policy restricts which network messages one origin can send to another. For example, the same-origin policy allows inter-origin HTTP requests with GET and POST methods but denies inter-origin PUT and DELETE requests.
The same-origin policy is a security measure standardized among browsers. The "origin" mostly refers to a "domain". It prevents different origins from interacting with each other, to prevent attacks such as Cross Site Request Forgery.
The same-origin policy prevents this from happening by blocking read access to resources loaded from a different origin. "But wait," you say, "I load images and scripts from other origins all the time." Browsers allow a few tags to embed resources from a different origin.
Changing Origin Occasionally, the same origin policy may block requests between subdomains on the same domain. The easiest way to solve this problem is to set document. domain from within JavaScript.
CORS (Cross-Origin Resource Sharing) is a standard way to allow cross-domain AJAX calls.
It's quite simple. For example, if the HTTP header Access-Control-Allow-Origin: * is added to a page (using PHP for example) then JavaScript from any domain will be able to read the page using AJAX. If such a header is not present then the same-origin policy will prevent the page from being read by AJAX calls from a different domain.
Using CORS, the owner of a page (for example a page that exposes specific data or an API) can expose that page (and that page only) for others to call from their own domains. The principle is that if the owner of a page explicitly says "it's OK for other to access my stuff" then CORS will allow it. Otherwise, the same-site policy is assumed.
See: http://www.w3.org/TR/cors/
88
You can get Yahoo Finance using JSONP, so that is most definitely what you are using.
An example URL is...
http://d.yimg.com/autoc.finance.yahoo.com/autoc?query=Apple&callback=YAHOO.Finance.SymbolSuggest.ssCallback
When the request has loaded, it will call the callback you define in the GET param. This allows you to work around same origin policy, provided the service has support for JSONP.
Alternatively, some people use their server as a proxy.
23
Accessing data between services, is not the same as calling a JavaScript function defined on one domain, from another domain.
In other words, I think you're confusing "same origin policy" (which prevents, for example, one tab in my browser from calling a JS function defined on a site in another tab of my browser) with JS getting data from a URL (e.g. stock prices from yahoo).
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
