same-origin-policy

问题 I keep fighting with strange limitations when developing for the web. One of them is the same-origin limitation for AJAX requests and I'm asking myself if instead of blocking requests to cross-domain resources wouldn't have been simpler to just discard cookies when making them (to avoid misuse of authentication credentials of the browser session). Cookies are a facility but quite not essential (for example you can generate pages with cookies in the request URLs if you need to keep context),

问题 I want to track tweet button clicks via Google Analytics, but tweet button is an iframe with content from another domain. Is there some tricks to add callbacks for tweet button click? 回答1: Or.. u can simply add event to your div and wait when this div well be clicked, like a: <div class="clickMe"> //twitter button there </div> <script> $('clickMe').click(function(){ //my awesome code there }) </script> Sure, if you need only click, not callback. 回答2: <a style="float:left;position: relative

问题 In the following HTML mockup, the nested iframes are originating from different subdomains. This is causing messages such as error: Permission denied to access property "document" <html> <head> <title></title> </head> <body> <div> <iframe id="outer_iframe_1" src="https://subdomain1.example.com"></iframe> </div> <div> <iframe id="outer_iframe_2" src="https://subdomain2.example.com"> <div> <iframe id="inner_iframe_2" src="https://subdomain4.example.com"></iframe> </div> </iframe> </div> <div>

问题 I know that this is a popular topic, but I've yet to find an answer that's completely comprehensive. I'm trying to create a simple way for our 'customers' to place a Google Map on their website, which plots the position of our customers (or a subset thereof) on the map. The customers are in a MySQL database which is turned into XML on-the-fly by a PHP script (as per Google's example). This works fine on my website, but when I try it on another website the xmlHTTPRequest is not allowed to look

问题 I have a little trouble understanding the security bit around JSON, because often things that in theory should not work, seemingly do. AFAIK, calls from a script on a page that resides on domain A, are not supposed to be able receive data from a domain B. But in the code below the calls to one external domain fail, whereas another goes through. And neither one are packed JSON calls (jsonp). Why is this? Should not both be disallowed from getting through the browser security checks? I get the

问题 How do you simulate jQuery $.get() to load data from a different domain in jsFiddle? /* This won't work in jsFiddle. */ $.get("http://www.google.com", function(data) { ... } ); As we know, there is limitation: Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol. 回答1: I solved this by creating a Fiddle in jsFiddle just for testing Ajax loads. It’s some

问题 I am familiar with the persistent and non-persistent XSS. I also know about Same origin policy that prevents/restricts requests originating from one websites page to go to another websites servers. This made me think that the same origin policy can stop at least the non-persistent type of XSS attacks (Because in the persistent type of attack the malicious code origin would be same as the private information that is stolen). Is my understanding correct? Can SOP be used to stop/reduce these

问题 I've got a page with an iframe. The page and the source of the iframe are in different domains. Inside the iframe I'm using a rich text editor called CuteEditor (which has turned out to be not so cute). There are certain javascript functions in CuteEditor which try to access 'document' but the browser denies access since they're not in the same domain. Here's the exact error: Permission denied to access property 'document' http://dd.byu.edu/plugins/cuteeditor_files/Scripts/Dialog/DialogHead

问题 I'm a bit confused about the security aspects of CORS POST requests. I know there is a lost of information about this topic online, but I couldn't find a definite answer to my questions. If I understood it correctly, the goal of the same-origin policy is to prevent CSRF attacks and the goal of CORS is to enable resource sharing if (and only if) the server agrees to share its data with applications hosted on other sites (origins). HTTP specifies that POST requests are not 'safe', i.e. they

问题 First off, I'm embarassed that I don't know this. I know these things work, but just not sure why. There is something I still don't get about CDNs and stuff like Google Analytics or Adsense. If these scripts are coming from a domain other than your site's domain how does this all tie in with same origin policy (SOP) and cross-site scripting (XSS)? From what I understand about XSS and SOP, these scripts just shouldn't be able to run or interact with the DOM in your site. How come they are