same-origin-policy

I'm working on a program which will help interface with your bitcoin wallet via the browser. By setting up the bitcoin client as a server with the following commands in it's .conf file... server=1 rpcuser=test rpcpassword=test rpcallowip=127.0.0.1 It will allow it to run as a server and thus let you post JSON commands at it. I've gotten this to work with the following code below. $.ajax({ url: 'http://test:test@127.0.0.1:29661', type: 'POST', contenType: 'application/json', cache:false, dataType:"json", data: '{"jsonrpc": "1.0", "id":"curltest", "method": "getinfo", "params": [] }', timeout:

Let's say I have an HTML page, served up from example.com. It makes an javascript ajax request to targetServer.com Which server needs to return a Access-Control-Allow-Origin="(something)"? Is it the targetServer or the server that served up the original HTML page (i.e. example.com)? [I know this probably is obvious, but the docs on the web seem to imply the targetServer has to send and allow-origin header of "example.com" But if this is a security feature, wouldn't a malicious targetServer.com always serve up a suitable allow-origin header? It sort of makes sense that example.com would give

I have a page on a domain: http://main.mydomain.com/frame.cfm which holds an iframe, loading a domain http://www.anotherdomain.com . This page http://www.anotherdomain.com has a script reference to http://sub.mydomain.com/somescript.js This somescript is a tracking script like google Analytics, which loads with each request of www.anotherdomain.com. At a certain stage, the script http://sub.mydomain.com/somescript.js in the page www.anotherdomain.com will try to call window.top.aFunction(); or parent.aFunction(); to make the parent window do something. I know about the X-Frame-Options and the

I'm dynamically creating an iframe in my app, result looks as follows: <iframe src="blob:http%3A//localhost%3A9292/0194dfed-6255-4029-a767-c60156f3d359" scrolling="no" sandbox="allow-scripts allow-popups allow-same-origin" name="sandbox" style="width: 100%; height: 100%; border: 0px;"></iframe> Is it safe to have such sandbox configuration (especially allowing the iframe content to be treated as being from the same origin)? allow-same-origin is not safe. That will give the iframe the possibility to access parent data (also local storage for example) Also allow-same-origin will allow the iframe

I'm trying to create my own XMLHttpRequest framework to learn how this things work internally. A thing that puzzles me is that I cannot find how to catch a "Same origin" exception. The idea behind this is that I try to load a URL, if I get a Same origin exception, I re-request the URL through a proxy script local for the script. The reason I do this is because I need to access production data from a development sandbox and I want it to be as transparent as possible for the script itself. I know it's a bad practice but this is the least intrusive way of doing this at the moment :) Just to clear

Technologies used: BreezeJS OData Web API 2 MVC 5 IDE: Visual Studio 2013 I've been wrestling with the idea of having a Web API project and a separate web site project in a single solution. My Web API 2 project opens up as: localhost:2020/ExampleProject.API My MVC 5 WebSite project opens up as: localhost:5050/ExampleProject.WebSite Now by default web api doesn't allow cross origin policies. So I played around with enabling CORS in my Web API 2, although I was able to get it to work, it only works for the latest browsers; I need the backward compatibility of IE7 to IE9. So I played around with