same-origin-policy

问题 I embbeding my module, an asp.net project, in a "portal", the portal generate an iframe to my url, i know its a shit but i dont made it. To avoid session in main "portal" end while user iterating with my web project the portal owner told me to start an heartbeat by javascript from my application to portal. Everyone know keep session in this way is insecure but 'portal' there is then i havent nothing to do. The real problem is that i cant do cross-domain requests from my application to portal

问题 I'm getting the following error when attempting to load a third party wysiwyg editor in a chrome extension. Sandbox access violation: Blocked a frame at "chrome-extension://cmcjindomengjienigbcldekcfnhfped" from accessing a frame at "null". Both frames are sandboxed and lack the "allow-same-origin" flag. I initially got a similar error and managed to resolve it by adding the allow-same-origin flag. This resulted in another error which required the allow scripts flag. Below is the current

问题 I have a JavaScript app which uses the Google Drive API. I read how to open a standard sharing dialog here: https://developers.google.com/drive/web/manage-sharing <head> ... <script type="text/javascript" src="https://apis.google.com/js/api.js"></script> <script type="text/javascript"> init = function() { s = new gapi.drive.share.ShareClient('<MY_APP_ID>'); s.setItemIds(["<MY_FILE_ID>"]); } window.onload = function() { gapi.load('drive-share', init); } </script> </head> <body> <button onclick

问题 Maybe are there some settings to disable this in extension context. Since I'm developing an extension it should be my own responsibility to not shoot my own goal. It is very frustrating to fiddle with this security thing that is totally out of reason when developing browser extensions. I don't want to make whole browser insecure by disabling it globally. just for the scripts that are set in "content_scripts" section in manifest.json 回答1: Your manifest.json file should have the domain you're

问题 I am trying to intercept links clicked on a page including those inside an iframe. This is the code that I have but it is not working. Any ideas what I need to do? $("#container").delegate('a', 'click', function(e){ //do stuff } Container is the id of the div just inside the iframe. Thanks in advance for any advice 回答1: You need to reach inside the <iframe> and set the delegate there, you can do it like this: $('#myiframe').contents().find("#container").delegate('a', 'click', function(e){ /

问题 I'm still new to Phonegap and I am working with the Android SDK for some days now. At least I wanted to do a XMLHttpRequest to get data from my server. I knew about the Same Origin Policy before and I asked myself, how this should work with a "native app". I searched the internet and found some topics, where people were telling others, that there is no Same Origin Policy on Phonegap, because it uses the file:// protocol and additionally there is a domain whitelist in it's config.xml . On the

问题 I want to access to the content of a script which is inside another HTML element which I can Identify easily. I've tried to find the element by getting the parent and then looking for a child but I've not been able to do it. So I tried to get it just using the console in firefox and use that element to read the content and I'm not able to do it. It looks like this: When I tried to do anything with that element I get a link to the following page and error: Permission denied to access property.

问题 I don't really get Access-Control-Allow-Origin and CORS. If I allow request from any domain to my page, does that imply any security issues for my page? I always thought, that SOP ensures, that there can't run any script on a page, which requests data from another server, as that data might be malicious. But as the server, which serves the malicious data, can just reply with a header containing Access-Control-Allow-Origin:* , everything can be loaded from that server. So as soon as somebody

问题 Are 127.0.0.1 and localhost considered as two different domains by browsers and therefore enforce cross-domain (same origin policy) restrictions? I observed it works sometime (in case of simple web pages) and does not work with Flex based web pages. For example: Scenario I: In a web page called page1.htm, you call a script as follows: <script type="text/javascript" src="js/somejsscript.js"></script> or <script type="text/javascript" src="http://localhost/js/somejsscript.js"></script> and you

问题 I've been working with CORS and encountered the following issue. Client complains about no 'Access-Control-Allow-Origin' header is present, while they are present , and client make the actual POST request and receives 200 . function initializeXMLHttpRequest(url) { //the code that initialize the xhr var xhr = new XMLHttpRequest(); xhr.open('POST', url, true); xhr.withCredentials = true; xhr.setRequestHeader('Content-Type', 'application/json; charset=UTF-8'); //set headers for (var key in