Getting around same origin policy in javascript without server side scripts...

views:

737

answers:

Getting around same origin policy in javascript without server side scripts...

I have an environment that doesn't allow server side scripting really (it is extremely difficult to get a script "installed" on the server). I tried using an iframe to violate javascript's same origin poilcy; however, that didn't work. Are there any other workarounds I am not aware of?

Thanks!

+2 A:

Hopefully not, as it would be a security hole! :)

But if both your sites are subdomains on the same domain, maybe document.domain can help.

Pekka 2010-01-14 19:43:52

So if my domain is awesome.yahoo.com, for instance, and i am trying to access bob.yahoo.com, i could set document.domain to yahoo.com and then be able to access bob.yahoo.com?

Parris 2010-01-14 19:55:41

Also I do realize it is a security hole; however, I was hoping that there was a hole hahaha. If you think about it using a proxy allows for a workaround. I dont understand why using a proxy is allowed while just accessing the file directly is not allowed. Also I heard html 5 has some attributes that also allows for cross-domain stuff.

Parris 2010-01-14 19:58:59

A proxy won't send the users cookies or any other authentication data to the remote site - since it can't know what they are. It can only get data that the site could get anyway. It can't pretend to be the user. There is ongoing work to develop a permissions system so that XHR can access remote sites, browser support is currently weak.

David Dorward 2010-01-14 20:02:46

Ahhh that makes sense. I had not considered that type of stuff.

Parris 2010-01-14 20:14:53

+1 A:

JSON-P is the simplest solution, and the only one (AFAIK) that doesn't require browser plugins (such as Flash).

This does require the cooperation of whomever runs the different origin site.

David Dorward 2010-01-14 19:45:54

Right, I had heard of JSON-P, but in this groups case they don't want to bother the other groups. Thanks for the tip though I will look into it more. Perhaps it is doable...

Parris 2010-01-14 20:13:54

+1 A:

As David Dorward mentioned, JSON-P is the simplest and fastest; however, there is another trick, specifically using two iframes. If you're interested or JSONP is not an option, I can go into further implementation details of the later technique.

Justin Johnson 2010-01-14 20:09:52

Actually yea please tell me!! :)

Parris 2010-01-14 20:12:51

I'm actually going to write up something rather complete. Check back later.

Justin Johnson 2010-01-14 20:41:34

So what's the downvote for?

Justin Johnson 2010-01-14 21:05:41

someone gave you a down vote?

Parris 2010-01-15 00:42:49

Sooo as an update. I found out about: YQL from http://ajaxian.com/archives/using-yql-as-a-proxy-for-cross-domain-ajax

It will grab whatever url you specify and wrap it in JSON and return back. You could then use jquery's getJSON function to grab that url. It seems to be working :)!

Parris 2010-02-09 17:42:56

Just use easyXDM, it's a library that enables cross-domain messaging with very little coding, and it doesn't need any server components.

Sean Kinsey 2010-02-15 22:56:27

ansaurus

tags:

views:

answers:

Getting around same origin policy in javascript without server side scripts...

related questions