I want to develop JS on my windows machine. Do you know a browser where I can turn off SOP so I can develop? Firefox would be optimal. Or if you know a proxy I could use for a SOAP/WSDL site it would be great too.. I am trying to work with the SOAPClient (http://www.codeplex.com/JavaScriptSoapClient) ...
I'm doing an XSS report for my university, and I'm doing some tests with calling external webpages using AJAX. The code I'm using for this example is very simple, and one of my target case-studies is to be able to call an outside web-page via AJAX with cross site disabled. Note: I only plan to use this on FireFox, and I am not concern...
I've been investigating frame breaking code recently and have come across some really bizarre behavior related to the same origins policy that I am having trouble understanding. Suppose I've got a page Breaker.html on domain A, and a page Container.html on domain B. The example frame breaker code would go into Breaker.html, like below:...
Cross-domain policies restricts downloading content from another domain: http://mysiteA.com <--NO--> http://myothersite.com But is downloading from the same domain via a different protocol allowed and would it work (can someone test) in everyday web browsers? http://mysite.com <--?--> https://mysite.com ...
I'm trying to semi-recreate Mozilla's demo usage of JavaScript + <video> + <canvas> with files that aren't hosted on a server. Loading my document causes the error console to report this error: Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:...
The scene: I'm writing an embeddable widget. It takes the form of a <script> tag, which builds an iframe containing everything it needs to display. The iframe has no src, and the script writes to it with theIframe.contentWindow.document.write(). This keeps the widget contained, and keeps element ids and script from conflicting with th...
I've read several XSRF solutions that rely on adding more tokens to the response, which do help protect code that only runs on POST. i.e. this would be a one step attack relying on a page that responds to HTTP GET <img src="http://amazon.com/buybook/anarchistscookbook/mailto/me/execute.php"> But with better libraries like jquery,...
I have a problem where I have a frameset consisting of a parent frame loaded from one domain and a contained frame from a different domain. The contained domain also sets a cookie before the frameset is loaded. However, because of the 'same orgin' policy, enforced by most browsers, a contained frame will not pass cookies if it is not fro...
From: https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0. So why is not the same origin policy enforced?, when a...
I have some code that I would swear was working a month ago. However, now the code throws a permission denied to get property Window.jQuery error. I can see this error in the Firefox error console. The code in question belongs to a window that was opened via JavaScript. This code attempt to update the contents of a DIV in the opening ...
Suppose: You have a website http://www.example.com that redirects to a project on Google App Engine (i.e. example.appspot.com); you want communications to pass between the user over SSL (i.e. https://example.appspot.com); and You want the domain to be shown to the user to be *://www.example.com (i.e. not https://example.appspot.com). ...
Hey i am wondering if their is a way to get the URL of the page showen in a iframe with php or javascript. i want it so that when i user clicks a link in the iframe so it isnt the initial iframed page then clicks another button that button it will get the new URL of page that is currently in the iframe. thanks ...
Webpage A is embedded in an iframe inside of webpage B. A and B are on two different domains and therefore the same origin policy prevents A from accessing properties of B like so; location = window.top.location.href // emits a "Permission denied" error Is there any other way for A to get B's url? ...
So I know that if I include an iFrame to a page that is not on the same domain I can't access that iframe's DOM via browser policy, but can a page that is in an iframe do any kind of parent document accessing? Specifically I have to ideas that are contingent on this question: If the embedded page can tell that it is not the parent win...
I have a solr index on a remote server and need to create a search page interface. I am using GWT to code the pages and XML-HTTP to query the index and receive the response. The problem is the same-site origin security policy. It won't let JavaScript retrieve the remote XML data. Is there a workaround for this, without using JSON prefera...
Hi. I have a 'toolbar' that displays some code on the top of the window, and then I load an iframe with an external site. I realize that I can't get the active link the user is on because it would be a violation of same origin policy. Is there any way (using greasemonkey maybe?) that I could get the active url of the external iframe? ...
Hello -- I am trying to do some basic geocoding using the google maps API and a GWT dyanmic web project in Eclipse. For example, query the following URL: http://maps.google.com/maps/geo?q=1600+Amphitheatre+Parkway,+Mountain+View,+CA&output=json&sensor=false and get back the data for parsing. I am running into some confusi...
Hello, Have some Javascript that I need to work via the following: ://localhost ://servername :/www.domainnamefortheserver.com When I run the script from http://servername with an IFRAME referencing the domain - it does not load. Is there a way to get the Javascript security model to recognize the server name, localhost and the dom...
My current solution: function isAccessToWindowRestricted(w) { try { return !w.location.href; } catch (e) { return true; } } Any better ideas? Is there a 'legal' way without try-catch? ...
Meebo's new 'bar' service puts a floating bar with links and chat functions at the bottom of any given webpage with just a dash of Javascript and HTML. I'd like to build something like it, but I'm flummoxed as to how they got around the same origin issues. It looks like they're injecting an iframe and some script tags, but how they acco...