tags:

views:

48

answers:

2
+2  Q: 

Modern browsers break same origin policy?

According to this video http://www.facebook.com/video/video.php?v=562087699610 modern browsers break same origin policy so javascript can make ajax calls to whatever domain.

Is this true?

If yes, does this mean that this will be natural/acceptable whenever necessary eg to fetch data from my partner applications?

+1  A: 

Perhaps a reference to CORS ?

Matthew Wilson  2010-10-28 10:42:00
Didn't know about that! Maybe I should use it already for my production web applications and enforce users to use the latest browsers? =)
weng  2010-10-28 11:18:22
+1  A: 

Note that browsers don't enforce this policy for included scripts (the same for included images or CSS). That means that someone can cleverly dynamically add:

<script type="text/javascript" src="http://otherdomain/something.js"&gt;&lt;/script&gt;

In order to have cross-domain data. This is possible even without using CORS.

Look at JSONP at Wikipedia.

Denilson Sá  2010-10-28 11:31:00
Will this be deprecated in favor of CORS in the future?
weng  2010-10-28 11:42:16
I don't know, but probably not. Many people load jQuery and other JavaScript libraries from Google servers. Also, most advertisement today is based on including an external JavaScript. Thus, I believe it won't be removed anytime soon. Also note that CORS support more features than JSONP (HTTP requests other than GET, better error handling...). http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
Denilson Sá  2010-10-28 11:49:18

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?