ansaurus

Question

Do cross-domain policies restrict downloading from different protocols for the same domain?

Answer 1

+2 A:

Yes (to the question in the title), per wikipedia's explanation of "same-origin policy":

The term "origin" is defined using the domain name, application layer protocol, and (in most browsers) TCP port of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same.

so http://foo.bar and https://foo.bar are not "same origin", for example.

Alex Martelli 2009-06-07 06:39:26

Ah no. Note the protocol differences, so it's not the same origin, so it will not work.

blowdart 2009-06-07 06:41:57

@blowdart: that is what Alex said. I think he answered the question in the title, rather than the question in the text, which is posed from the opposite direction.

Fredrik Mörk 2009-06-07 06:44:53

Ah true, the title question and the question contents ask different things :) Apologies alex!

blowdart 2009-06-07 06:56:04

Right, I was answering the question as asked in the title -- I hope whoever downvoted me on this will reconsider!-)

Alex Martelli 2009-06-07 06:57:34

Don't be bothered about the voting system here, Alex, people over here can be crazy upvoting the things they like instead of correct/good things. Look how many votes the "funny" and "subjective" questions/answers get!

Jenko 2009-06-07 16:13:03

Answer 2

+1 A:

So you're confused. This is not XSS, but cross domain access - XSS is a security vulnerability where you are echoing user input back into an HTML page without encoding it.

What you are asking about is cross domain access, presumably from Ajax, but perhaps from Silverlight or Flash.

If this is so the answer is no, because the protocol is different, one site has HTTP, one site has HTTPS. You can only access resources where the protocol, the domain name, and the network port ALL match.

blowdart 2009-06-07 06:41:26

Thanks for the clarification, but I'd still like someone to confirm whether this is so in good browsers like FF and IE, by attempting to download something (via JS) from another protocol on the same domain.

Jenko 2009-06-07 06:44:47

What if I have control of both domains (HTTP and HTTPS), can I add a cross-domain policy file or configuration someplace to allow loading cross-protocol?

Jenko 2009-06-07 06:45:40

You can't do this yourself? Well, I've done it when I was writing the RIA chapter in my book and trust me, its not allowed in all the major browsers, IE, Mozilla, Safari, Chome and Opera

blowdart 2009-06-07 06:45:54

Cross domain policy files only come into play with flash or silverlight. (Although there's a move afoot to add them to HTML/DOM bits)

blowdart 2009-06-07 06:46:31

ansaurus

tags:

views:

answers:

Do cross-domain policies restrict downloading from different protocols for the same domain?

related questions