same-origin-policy

Can I disable SOP (Same Origin Policy) on any browser for development?

I want to develop JS on my windows machine. Do you know a browser where I can turn off SOP so I can develop? Firefox would be optimal. Or if you know a proxy I could use for a SOAP/WSDL site it would be great too.. I am trying to work with the SOAPClient (http://www.codeplex.com/JavaScriptSoapClient) ...

Is there any way to bypass NS_ERROR_DOM_BAD_URI when cross site access is disabled?

I'm doing an XSS report for my university, and I'm doing some tests with calling external webpages using AJAX. The code I'm using for this example is very simple, and one of my target case-studies is to be able to call an outside web-page via AJAX with cross site disabled. Note: I only plan to use this on FireFox, and I am not concern...

Why do frame breakers work cross-domain, and can you conditionally use frame breakers?

I've been investigating frame breaking code recently and have come across some really bizarre behavior related to the same origins policy that I am having trouble understanding. Suppose I've got a page Breaker.html on domain A, and a page Container.html on domain B. The example frame breaker code would go into Breaker.html, like below:...

Do cross-domain policies restrict downloading from different protocols for the same domain?

Cross-domain policies restricts downloading content from another domain: http://mysiteA.com <--NO--> http://myothersite.com But is downloading from the same domain via a different protocol allowed and would it work (can someone test) in everyday web browsers? http://mysite.com <--?--> https://mysite.com ...

How do I bypass a same origin policy violation for one local file to another?

I'm trying to semi-recreate Mozilla's demo usage of JavaScript + <video> + <canvas> with files that aren't hosted on a server. Loading my document causes the error console to report this error: Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:...

How do I build an iframe with the same domain as the page in Safari/WebKit

The scene: I'm writing an embeddable widget. It takes the form of a <script> tag, which builds an iframe containing everything it needs to display. The iframe has no src, and the script writes to it with theIframe.contentWindow.document.write(). This keeps the widget contained, and keeps element ids and script from conflicting with th...

Any logical loop holes in this idea for preventing Cross Site Request Forgery?

I've read several XSRF solutions that rely on adding more tokens to the response, which do help protect code that only runs on POST. i.e. this would be a one step attack relying on a page that responds to HTTP GET <img src="http://amazon.com/buybook/anarchistscookbook/mailto/me/execute.php"&gt; But with better libraries like jquery,...

Work around for the same origin policy problem

I have a problem where I have a frameset consisting of a parent frame loaded from one domain and a contained frame from a different domain. The contained domain also sets a cookie before the frameset is loaded. However, because of the 'same orgin' policy, enforced by most browsers, a contained frame will not pass cookies if it is not fro...

Is google AJAX Libraries API bypassing same origin policy?

From: https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0. So why is not the same origin policy enforced?, when a...

Why does my JavaScript / jQuery interaction with a child window raise a "permission denied" error?

I have some code that I would swear was working a month ago. However, now the code throws a permission denied to get property Window.jQuery error. I can see this error in the Firefox error console. The code in question belongs to a window that was opened via JavaScript. This code attempt to update the contents of a DIV in the opening ...

Can one use Ajax on Google App Engine as a logged in user over https from a non-appspot.com domain?

Suppose: You have a website http://www.example.com that redirects to a project on Google App Engine (i.e. example.appspot.com); you want communications to pass between the user over SSL (i.e. https://example.appspot.com); and You want the domain to be shown to the user to be *://www.example.com (i.e. not https://example.appspot.com). ...

Iframe Url after initial page is navigated from

Hey i am wondering if their is a way to get the URL of the page showen in a iframe with php or javascript. i want it so that when i user clicks a link in the iframe so it isnt the initial iframed page then clicks another button that button it will get the new URL of page that is currently in the iframe. thanks ...

How to get the url of a webpage that is embedding another page in an iframe on a different origin domain

Webpage A is embedded in an iframe inside of webpage B. A and B are on two different domains and therefore the same origin policy prevents A from accessing properties of B like so; location = window.top.location.href // emits a "Permission denied" error Is there any other way for A to get B's url? ...

Can iframe pages tell when they are iframed?

So I know that if I include an iFrame to a page that is not on the same domain I can't access that iframe's DOM via browser policy, but can a page that is in an iframe do any kind of parent document accessing? Specifically I have to ideas that are contingent on this question: If the embedded page can tell that it is not the parent win...

GWT interface to Solr index

I have a solr index on a remote server and need to create a search page interface. I am using GWT to code the pages and XML-HTTP to query the index and receive the response. The problem is the same-site origin security policy. It won't let JavaScript retrieve the remote XML data. Is there a workaround for this, without using JSON prefera...

depress same origin policy

Hi. I have a 'toolbar' that displays some code on the top of the window, and then I load an iframe with an external site. I realize that I can't get the active link the user is on because it would be a violation of same origin policy. Is there any way (using greasemonkey maybe?) that I could get the active url of the external iframe? ...

What is the most straightforward GWT workaround for same origin policy restriction (trying to query google maps api)?

Hello -- I am trying to do some basic geocoding using the google maps API and a GWT dyanmic web project in Eclipse. For example, query the following URL: http://maps.google.com/maps/geo?q=1600+Amphitheatre+Parkway,+Mountain+View,+CA&amp;output=json&amp;sensor=false and get back the data for parsing. I am running into some confusi...

Javascript security / cross scripting on same server

Hello, Have some Javascript that I need to work via the following: ://localhost ://servername :/www.domainnamefortheserver.com When I run the script from http://servername with an IFRAME referencing the domain - it does not load. Is there a way to get the Javascript security model to recognize the server name, localhost and the dom...

What is the best way to find out that access to the parent window has restrictions due to the same origin policy?

My current solution: function isAccessToWindowRestricted(w) { try { return !w.location.href; } catch (e) { return true; } } Any better ideas? Is there a 'legal' way without try-catch? ...

How do toolbars like the Meebo Bar work?

Meebo's new 'bar' service puts a floating bar with links and chat functions at the bottom of any given webpage with just a dash of Javascript and HTML. I'd like to build something like it, but I'm flummoxed as to how they got around the same origin issues. It looks like they're injecting an iframe and some script tags, but how they acco...