tags:

views:

288

answers:

2
Q: 

Javascript same origin security issue

Hello everyone,

I learned the Javascript concept of same source of origin, which means Javascript code could only access the host where it is downloaded from.

My confusion is, I have developed Javascript code, store the code locally into a .js file and call Javascript code from another local html file. When I use IE to open the local html file, I find the Javascript could access any host, like Google and Bing.

Here is my code. My confusion is, seems the Javascript same original security restriction does not apply to locally running Javascript?

http://stackoverflow.com/questions/1187535/javascript-xmlhttprequest-issue

thanks in advance, George

+1  A: 

When you say 'access any host' what do you mean?

Do you mean that you receive notification of when your code loads a URL on google, or do you mean you can interrogate the HTML DOM of the page that loads.

I very much doubt you can do the later. I recall from experience doing this (a while ago mind) that receiving notification that a page has loaded should be possible - it's just that you simply can't see or modify anything ON that page.

David Christiansen  2009-07-28 08:58:30
Thanks David, what I mean is I can send request and retrieve response from google.com. I think it breaks same origin policy?
George2  2009-07-28 09:24:29
+2  A: 

The same origin policy means that xmlhttp requests can be done to the same domain from which the js is loaded and executed, it is enforced by all browsers, also, if you are developing ajax code, there is no sense in executing it from a different domain from the one you will load the pages.

IE makes some exceptions on the SOP from local files, but these are edge situations and you shouldn't bother with them.

Anonymous  2009-07-28 09:06:46
Thanks Anonymous, do you mean for local js and html files, same source of origin policy does not apply?
George2  2009-07-28 09:25:26
If yes, do you have any more documents to prove?
George2  2009-07-28 09:25:57
No, there are only a few exceptions to the SOP in IE, in FF you can disable it tweaking a preference in about:config see http://kb.mozillazine.org/Security.fileuri.strict_origin_policy.But I really think you should test your ajax code as it is meant to be used.
Anonymous  2009-07-28 09:38:59
Thanks but I think your document does not apply to IE? It is firefox?
George2  2009-07-28 09:56:42

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?