same-origin-policy

I need to serve user-submitted scripts on my site (sort of like jsfiddle ). I want the scripts to run on visitors browsers in a safe manner, isolated from the page they are served on. Since the code is submitted by users, there is no guarantee it is trustworthy. Right now I can think of three options: Serve the user-submitted content in an iframe from a different domain , and rely on the same-origin policy. This would require setting up an additional domain which I'd like to avoid if possible. I believe this is how jsfiddle does it. The script can still do some damage, changing top.location

I don't really get Access-Control-Allow-Origin and CORS. If I allow request from any domain to my page, does that imply any security issues for my page? I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:* , everything can be loaded from that server. So as soon as somebody manages to inject a piece of JS code into a page, every malicious code can be loaded from a server

Are 127.0.0.1 and localhost considered as two different domains by browsers and therefore enforce cross-domain (same origin policy) restrictions? I observed it works sometime (in case of simple web pages) and does not work with Flex based web pages. For example: Scenario I: In a web page called page1.htm, you call a script as follows: <script type="text/javascript" src="js/somejsscript.js"></script> or <script type="text/javascript" src="http://localhost/js/somejsscript.js"></script> and you access the page as http://localhost/page1.htm Scenario II: You call the script as follows: <script type

I know that the jQuery .load() function has a "problem": You can't retrieve pages that are outside of the current domain, because of the Same Origin Policy , but I remember when I was developing another program that I could do cross-domain AJAX without problems while on an PhoneGap compiled environment, but will it work while on PhoneGap(like normal AJAX) or it will just fail because of the policy? Jasper You can use .load() or $.ajax() in PhoneGap applications. Most of my experience is with getting information from the same domain under which the app. is packaged. For example: App. package

I have a question regarding the same-origin policy. My company has many subdomains and in one of them they would like an iframe with another subdomain inside of it and populate the form of the iframe. I have read about the document.domain property and that I would need to set in on all three domains, however I can not easily test this due to each subdomain belonging to a different department. So here is my question: Is this possible when the subdomains are both https, and the root domain is not? I looked at the examples on wikipedia, but that didn't help me. Any help would be greatly