same-origin-policy

My problem is the infamous "StatusCodeException: 0" problem happening when using GWT 2.6.1 when accessing page via subdomain https://sub.site.com/ . Now, this happens quite sporadically for one customer using IE11 and I can't reproduce this from several distinct computers using IE11, IE10, IE9 or IE8 (not to talk about Chrome or Firefox). Accessing exactly the same webapp from https://site.com/ seems to work fine for that customer. This obviously lead me to conclusion that I'm having problem with Same Origin Policy . What is strange though is that my webapp is designed in the way that no cross

While I was testing the SOP, i came to this scenario two documents has a relationship with the same domain as i would expected and it throws an error when i try to get the location. To reproduce the problem: Open https://www.google.com from the console let opened = window.open("https://www.google.com") from the same window do opened.location.toString() which will return the correct location from the second tab's console do document.domain = "www.google.com" from the first tab do opened.location.toString() and you will get an error Uncaught DOMException: Blocked a frame with origin "https://www

I am using GWT 2.4 to build an application that runs entirely client-side and uses a web service that I control but is hosted on a different server. On this Java Servlet web service, I have implemented doOptions like so: protected void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.addHeader("Access-Control-Allow-Origin", "*"); response.addHeader("Access-Control-Allow-Methods", "POST, GET"); } And client-side in GWT I submit a request the standard way, e.g. public static void makeHttpGetRequest(String query, RequestCallback

I have a little trouble understanding the security bit around JSON, because often things that in theory should not work, seemingly do. AFAIK, calls from a script on a page that resides on domain A, are not supposed to be able receive data from a domain B. But in the code below the calls to one external domain fail, whereas another goes through. And neither one are packed JSON calls (jsonp). Why is this? Should not both be disallowed from getting through the browser security checks? I get the same results in Chrome and Firefox. If I host the below html-page on dropbox.com, Chrome gives me this

How do you simulate jQuery $.get() to load data from a different domain in jsFiddle? /* This won't work in jsFiddle. */ $.get("http://www.google.com", function(data) { ... } ); As we know, there is limitation: Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol. Deborah I solved this by creating a Fiddle in jsFiddle just for testing Ajax loads. It’s some very simple HTML with an image and some copy — you can see it here: <div class="container"> <img id=

I've got a page with an iframe. The page and the source of the iframe are in different domains. Inside the iframe I'm using a rich text editor called CuteEditor (which has turned out to be not so cute). There are certain javascript functions in CuteEditor which try to access 'document' but the browser denies access since they're not in the same domain. Here's the exact error: Permission denied to access property 'document' http://dd.byu.edu/plugins/cuteeditor_files/Scripts/Dialog/DialogHead.js Line 1 Editing the javascript is out of the question because it's been minfied and obfuscated so all

I'm a bit confused about the security aspects of CORS POST requests. I know there is a lost of information about this topic online, but I couldn't find a definite answer to my questions. If I understood it correctly, the goal of the same-origin policy is to prevent CSRF attacks and the goal of CORS is to enable resource sharing if (and only if) the server agrees to share its data with applications hosted on other sites (origins). HTTP specifies that POST requests are not 'safe', i.e. they might change the state of the server, e.g. by adding a new comment. When initiating a CORS request with

I have a http:// site that needs to access a 3rd party JSON API that is exposed on an https:// site. I've read through Ways to circumvent the same-origin policy , but it seems the methods described there aren't appropriate for me: The document.domain method - only works on subdomains. The Cross-Origin Resource Sharing method - requires server cooperation. The window.postMessage method - seems to require opening a popup window? The Reverse Proxy method - A possible solution, but seems a bit too hard to setup. http://anyorigin.com - seems to not support SSL. Is this it? Must I implement solution