Menu
I am running into same-origin policy issues in Javascript. I've read about a workaround for this using the document.domain variable, but I cannot get the workaround to work. The workaround is that you are supposed to be able to set document.domain to 'example.com' so that if you run code from foo.example.com it can load data via XHR from bar.example.com.
Details on the workaround are here:
https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript
My example code -- which doesn't produce the desired results -- is run from a URL like http://foo.example.com/:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <script> document.domain = 'example.com'; window.onload = function() { var req = new XMLHttpRequest(); var url = 'http://bar.example.com/'; req.open('GET', url, true); req.onreadystatechange = function (aEvt) { if (req.readyState == 4) { var elem = document.getElementById('result'); if (req.status == 200) { var data = req.responseText; } else { var data = "Error loading page: " + req.status; } elem.innerHTML = data; } }; req.send(null); }; </script> Result:<hr> <div id="result"></div> </body> </html> The output from this code:
Result: Error loading page: 0
If I change url to 'http://foo.example.com/', everything works correctly. Is there a bug in my example code?
I don't want to use a proxy because they're slower, less efficient, and will increase traffic on our web server. It'd be really cool if this workaround actually worked. Is this workaround "pie in the sky"?
584
Changing Origin Occasionally, the same origin policy may block requests between subdomains on the same domain. The easiest way to solve this problem is to set document. domain from within JavaScript.
The Basics of the Same-Origin Policy One such restriction is that scrips executing on http://example.com are not allowed to access resources on http://subdomain.example.com . Restrictions are applied based on the document's origin where an origin is defined in RFC 6454 Section 4.
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.
In computing, the same-origin policy (sometimes abbreviated as SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
document.domain allows the communication between frames/iframes. Not XHR.
<body> <iframe src="http://bar.example.com/"></iframe> <script> document.domain = 'example.com'; var ifr = document.getElementsByTagName('IFRAME')[0]; ifr.onload = function(e){ //will log the string "BODY" in the console console.log(ifr.contentWindow.document.body.tagName); }; </script> </body> If you remove the line with document.domain, reading the content of the contentWindow will throw the Same Origin Policy error.
129
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
