same-origin-policy

The related domain cookie attack (more info) allows machines in the same DNS domain to add additional cookies that will also be sent to other computers in the same domain. This can cause issues with authentication, or at worst be a component in a confused deputy attack. Question How can I protect ASP.NET or ASP.NET MVC from this type of attack? One possible attack scenario I log into a "secure" web app I get the credentials for my account I trick the user into visiting my site on the same DNS domain I insert the cookie (of my creds) the user goes back to your app. Both cookies (or an

I am getting an error with Flutter Webview (webview_flutter: ^0.1.2) when loading a Youtube Video, (though I initially thought its related to content security issue,) it seems to be an issue with secure origin on HTTPS. On browser this is usually mitigated by moving to HTTPS domain, looking for a way to solve this on Mobile Container( child: WebView( initialUrl: Uri.dataFromString( '<html>' '<meta http-equiv="Content-Security-Policy" content="default-src * gap:; script-src * \'unsafe-inline\' \'unsafe-eval\'; connect-src *; img-src * data: blob: android-webview-video-poster:; style-src * \

Maybe some of you can help me get a better understanding of the javascript same origin policy. The same origin policy is defined as following ( http://en.wikipedia.org/wiki/Same_origin_policy ): In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites. I have deployed a GWT

How does the Same Origin Policy apply to the following two domains? http://server1.MyDomain.com http://server2.MyDomain.com Can I run JS on a page hosted on server1, if the content is retreived from server2? edit according to Daniel's answer below, I can include scripts between different subdomains using the <script> tag, but what about asynchronous requests? What if I download a script from server2 onto the page hosted on server1. Can I use the script to communicate asynchronously with a service on server2? Daniel Vassallo You can only include scripts between different subdomains using the

Suddenly, seemingly without changing anything in my web app, I started getting CORS errors when opening it in Chrome. I tried adding an Access-Control-Allow-Origin: * header. Then I get this error: XMLHttpRequest cannot load http://localhost:9091/sockjs-node/info?t= 1449187563637. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost:3010' is therefore not allowed access. But as you can see in the following image, there is no Access-Control-Allow-Credentials header. WTF? Chrome bug? My page is loaded at http:/

I am trying to embed a page that is dynamically built using Javascript in Google Apps Script into my website in an iFrame, but the iFrame's content isn't shown. Google Apps Script has a same-origin policy which prevents it from loading. What I am trying to do is (I removed the full link): <iframe src="https://script.google.com/a/macros/SCRIPT_ID"></iframe> The error I am getting is: Refused to display 'https://script.google.com/a/macros/SCRIPT_ID' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'. Is there a way to alter the policy and load the content in an iFrame? Google had just