Same Origin Policy -- clarifications?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Jeremy J Starcher
    #1

    Same Origin Policy -- clarifications?

    On a web-forum I chat at, there are multiple lists of posts.

    The forum, hosted on multiple servers, allows us to upload graphics and
    Javascript to "skin" our particular forum. In addition, the forums are
    broken into categories.

    Simplified example:
    tech.invalid.co m
    pets.invalid.co m


    Each of the sites, 'tech' 'pets' etc, has a See-Recent, which will show
    the last 50 posts in that particular branch of the forum, but it does NOT
    have a 'See-everything-recent' option. I've been asked to code one, if I
    can.

    Based on my exploring, it looks like the Same Origin Policy has really
    gotten stricter than the last time I ran up against, almost a decade
    ago. With so much out-dated stuff out there on the 'net anymore, I'm not
    sure what the current state of security is.

    From 'tech.invalid.c om' I cannot access the See-Recent from
    'pets.invalid.c om' either through an iframe nor HttpRequest. Fair
    enough, I understand the security reasons on why not.

    My questions:

    a) if someone on pets.invalid.co m hosted a Javascript file for me, could
    I load my script from a the pets server and have it access that pets
    server freely, even though the main web page is hosted on the tech server?

    b) On one of the busier servers they have a load-balancing system that
    307 to a secondary server. This server is usually specified by IP
    address. What effect does this have on the SOP?



    Tags: None
    • Thomas 'PointedEars' Lahn
      #2
      Re: Same Origin Policy -- clarifications?

      Jeremy J Starcher wrote:
      [...]
      The forum, hosted on multiple servers, allows us to upload graphics and
      Javascript to "skin" our particular forum. In addition, the forums are
      broken into categories.
      >
      Simplified example:
      tech.invalid.co m
      pets.invalid.co m
      >
      [...]
      Based on my exploring, it looks like the Same Origin Policy has really
      gotten stricter than the last time I ran up against, almost a decade
      ago. With so much out-dated stuff out there on the 'net anymore, I'm not
      sure what the current state of security is.
      AFAIK there really has not changed anything regarding "DOM Level 0" objects.
      From 'tech.invalid.c om' I cannot access the See-Recent from
      'pets.invalid.c om' either through an iframe
      You should be able to. Have you set document.domain = "invalid.co m" before?
      nor HttpRequest.
      document.domain does not apply to XHR, you are stuck here unless you use a
      server-side proxy script.
      a) if someone on pets.invalid.co m hosted a Javascript file for me, could
      I load my script from a the pets server
      Yes.

      <script type="text/javascript" src="http://pets.invalid.co m/foo.js">
      </script>
      and have it access that pets server freely, even though the main web page
      is hosted on the tech server?
      Depends. Besides, although it is unlikely that both sites are hosted on
      different servers, it does not really matter. What only matters here is the
      different domain of the URLs the Web sites are accessed with. This does not
      have changed since "DOM Level 0".
      b) On one of the busier servers they have a load-balancing system that
      307 to a secondary server. This server is usually specified by IP
      address. What effect does this have on the SOP?
      None whatsoever, as the original request URI and therefore its domain part
      does not change.


      PointedEars
      --
      Use any version of Microsoft Frontpage to create your site.
      (This won't prevent people from viewing your source, but no one
      will want to steal it.)
      -- from <http://www.vortex-webdesign.com/help/hidesource.htm>

        Comment

        • Jeremy J Starcher
          #3
          Re: Same Origin Policy -- clarifications?

          On Wed, 30 Apr 2008 00:50:12 +0200, Thomas 'PointedEars' Lahn wrote:
          Jeremy J Starcher wrote:
          >[...]
          AFAIK there really has not changed anything regarding "DOM Level 0"
          objects.
          >From 'tech.invalid.c om' I cannot access the See-Recent from
          >'pets.invalid. com' either through an iframe
          You should be able to. Have you set document.domain = "invalid.co m"
          before?
          *nods* From everything I understand, document.domain needs to be set on
          BOTH documents for this to work. In my case, I only have access to one
          but not the other.
          >nor HttpRequest.
          >
          document.domain does not apply to XHR, you are stuck here unless you use
          a server-side proxy script.
          *nods* I was afraid of that. In my case would mean a third-party
          server. More effort than its worth.
          >a) if someone on pets.invalid.co m hosted a Javascript file for me,
          >could I load my script from a the pets server
          >
          Yes.
          >
          <script type="text/javascript" src="http://pets.invalid.co m/foo.js">
          </script>
          >
          >and have it access that pets server freely, even though the main web
          >page is hosted on the tech server?
          >
          Depends. Besides, although it is unlikely that both sites are hosted on
          different servers, it does not really matter. What only matters here is
          the different domain of the URLs the Web sites are accessed with. This
          does not have changed since "DOM Level 0".
          *nod* Understood.
          >b) On one of the busier servers they have a load-balancing system that
          >307 to a secondary server. This server is usually specified by IP
          >address. What effect does this have on the SOP?
          >
          None whatsoever, as the original request URI and therefore its domain
          part does not change.
          That one surprises me, but it does make sense. I figured the /final/ URI
          would be the one that mattered.

          Thanks for help, Thomas.

          Looks like a am biting off a bigger project than I can chew and that it
          can't be done entirely client-side without access to either a) a separate
          proxy server or b) access to the forum server to change a few things.

          There used to be a bunch of loopholes in Same Origin Policy last time I
          looked at it. Things are no longer the same. Oh well. The world must
          be for the better because of it.

            Comment

            Previous template Next
            Working...