FAQ Database Discussion Community


Why does CORS allow sending data to any server?

javascript,cross-domain,cors,same-origin-policy
I spend some time to understand how Cross-Origin-Resource-Sharing works, and I cannot believe how this could be designed so insecure. When a website hosted on foo.com wants to request a resource which is stored at bar.com via ajax, the browser asks bar.com if the request is allowed. Only if bar.com...

How to bypass Cross origin policy [duplicate]

javascript,php,same-origin-policy
This question already has an answer here: Ways to circumvent the same-origin policy 11 answers Mobile app where it needs to get access to a JSON file in another server. And its showing cross origin policy blocked. So is there any way to bypass or have the access to...

Can an iframe release itself from allow-same-origin?

javascript,iframe,same-origin-policy
If Site A has an iframe of Site B, and the two sites are on different domains, can Site B know (via js or something) if it's in an iframe with the allow-same-origin attribute and thwart it? I need to reassure the administrators of site B that their site is...

same origin policy error when creating map

javascript,same-origin-policy
I tried running the code below that creates a map using OpenLayers. The code is an example from the GeoServer Beginner's Guide. The code creates a map and adds a couple of layers to it. The client-side code (below) is loaded from the local filesystem and the layer data is...

how can I access iframe.contentDocument to get response after cross-origin request?

javascript,iframe,cross-domain,same-origin-policy,allow-same-origin
I'm successfully sending a file from localhost:8888 to localhost:8080 (different domain in production), but I can't read the HTTP response after the transfer finishes. Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "http://localhost:8888" from accessing a frame with origin "http://localhost:8080". The frame requesting...

Can different subdomains of the same app prevent malicious attack like XSS?

security,xss,same-origin-policy
In my Rails app i have 2 subdomains, one : members.myapp.com which is the area shared between all members (where they can login and manage their accounts) Two : each member has its own website on a subdomain like this : member1.myapp.com, member2.myapp.com, member3.myapp.com etc... Let's imagine that user1.myapp.com run...

Server-side requests and XmlHTTPRequest (client-side) and security

javascript,security,xmlhttprequest,cross-domain,same-origin-policy
I was wondering about the following: When I make an XmlHTTPrequest to a external source outside my domain it will fail when there is a conflict with the same-origin-policy. This is due to security reasons. The code I wrote will be executed on a client's PC, which has restrictions. However...

Iframes and Same-Origin-Policy and reverse proxy hack

html,security,iframe,same-origin-policy
I have been reading up on Iframes with different domains then the parent document and I am slightly confused. I understand that if the Iframe is from the same domain as its parent document, the parent document can access the iframe's document. It seems like I could circumvent this with...