same-origin-policy

How does Same Origin Policy apply to browser extensions?

余生长醉 提交于 2019-11-26 16:55:09
问题 Given a browser extension that sends information from one webpage to an entirely different server, is this violating the same origin policy? 回答1: The same-origin policy (SOP) appplies to ordinary web pages, not browser extensions, even if they are written in JavaScript. What does "different server" mean when the extension code does not origingate from a server? (The extension script might have some kind of orgin, like chrome-extension://longhashidentificationstr , but not an traditional

Disable firefox same origin policy

瘦欲@ 提交于 2019-11-26 14:06:44
I'm developing a local research tool that requires me to turn off Firefox's same origin policy (in terms of script access, I don't really care about cross domain requests). More specifically, I want scripts in the host domain to be able to access arbitrary elements in any iframes embedded in the page, regardless of their domain. I'm aware previous Q&As which mentioned the CORS FF extension, but that is not what I need, since it only allows CORS, but not script access. If it cannot be done easily, I would also appreciate any insights that point me to specific part of FF src code that I can

Google Chrome --allow-file-access-from-files disabled for Chrome Beta 8

不想你离开。 提交于 2019-11-26 13:19:35
I have been developing an AJAX application using jQuery and Microsoft Seadragon technology. I need to have access to the html5 canvas function toDataURL. With Google Chrome, the same origin rule applies to this function which means that a page run locally (with the file:/// in the URL) failed to satisfy the same origin rule and an exception is thrown. With Chrome 7, starting the application with --allow-file-access-from-files option, allows to call canvas.toDataURL() from local files. However, it seems that starting the Chrome Beta 8 with the same option ( --allow-file-access-from-files ) does

Same Origin Policy - AJAX & using Public APIs

那年仲夏 提交于 2019-11-26 13:07:27
问题 I know if on my own webpage, if my user is on : http://www.example.com/form.php and I make an ajax request from that page to : http://example.com/responder.php It will fail because of the Same origin policy (subdomain is different). What I am trying to understand is, how is it that AJAX requests can pull data from API\'s like flickr when the request and server are obviously different. Edit : eg: Why does this code work? $.getJSON(\'http://api.flickr.com/services/rest/?&;method=flickr...\'

same-origin policy and CORS - what's the point?

好久不见. 提交于 2019-11-26 12:45:16
问题 I have some trouble understanding the same-origin policy and the different ways to \"workaround\" it. It is clear that the same-origin policy exists as a security measure, so one script that comes from a server/domain has no access to data coming from another server/domain. It is also clear that sometimes, it is useful to be able to break this rule, so for example a mashup application accesses information from different servers in order to build up the results wanted. And one of the ways to

Access child iFrame DOM from parent page

北慕城南 提交于 2019-11-26 12:43:33
问题 Here is the deal: domain.com/page -- Parent page (document.domain=domain.com) contains an iframe sub.domain.com/page -- Child iframe (document.domain=not set) is on a subdomain Is there any way to access the DOM of that iframe or am I out of luck? Does same origin policy block me from forcing a document.domain on an iframe contained within a parent page? I suppose that would defeat the purpose of the same origin policy... If that is the case, is there any workaround to access the DOM of the

Cross Domain Form POSTing

跟風遠走 提交于 2019-11-26 11:34:34
I've seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains. The only place I've seen someone suggest that same-origin policy does not apply to form posts, is here . I'd like to have an answer from a more "official" or formal source. For example, does anyone know the RFC that addresses how same-origin does or does not affect a form POST? clarification : I am not asking if a GET or POST can be constructed and sent to any domain. I am asking: if Chrome, IE, or Firefox will allow content from

HTML5 Canvas getImageData and Same Origin Policy

两盒软妹~` 提交于 2019-11-26 09:45:59
问题 I have a site running at pixie.strd6.com and images hosted through Amazon S3 with a CNAME for images.pixie.strd6.com. I would like to be able to draw these images to an HTML5 canvas and call the getImageData method but it throws Error: SECURITY_ERR: DOM Exception 18 I have tried setting window.domain = \"pixie.strd6.com\" , but that has no effect. Additionally, $.get(\"http://dev.pixie.strd6.com/sprites/8516/thumb.png?1293830982\", function(data) {console.log(data)}) also throws an error:

Getting around same origin policy in javascript without server side scripts

杀马特。学长 韩版系。学妹 提交于 2019-11-26 06:39:04
问题 I have an environment that doesn\'t allow server side scripting really (it is extremely difficult to get a script \"installed\" on the server). I tried using an iframe to violate javascript\'s same origin poilcy; however, that didn\'t work. Are there any other workarounds I am not aware of? Thanks! 回答1: As David Dorward mentioned, JSON-P is the simplest and fastest; however, there is another trick, specifically using two iframes. Two get around this issue without using JSONP, you can do the

Using iframe with local files in Chrome

狂风中的少年 提交于 2019-11-26 05:33:47
问题 I am having a tough time figuring out how to access a page loaded in an iframe from the outer page. Both pages are local files, and I\'m using Chrome. I have an outer page, and many inner pages. The outer page should always display the page title for the inner page (it makes sense in my application, perhaps less so in this stripped-down example). This works without any problem in AppJS, but I\'ve been requested to make this app work directly in the browser. I\'m getting the error \" Blocked a
订阅 same-origin-policy