cross domain localstorage with javascript

Question

We have a javascript api.js which is hosted on domain api.abc.com. It manages the local storage.

We included this javascript in our websites at abc.com and login.abc

Answer 1

The other answers all ignore the fact that you're not really operating cross-domain, just between subdomains.

You still need a hidden iframe to encapsulate the origin of the localStorage store you want to access (api.abc.com), but by setting document.domain = "abc.com" on both main window and hidden iframe, they can interact directly.

Then you can literally just use hiddenIFrame.contentWindow.localStorage instead of window.localStorage, and forget about the headache of doing anything via postMessage().

I posted a more detailed version of this answer here: https://stackoverflow.com/a/63602446/999120

Answer 2

As noticed in your post the localStorage (sessionStorage too) won't be stored on the storage related to the domain api.abc.com. If this was the case, by using CDN version of a library using localStorage you would have to share storage with all the other websites using this library.

One good solution could be to use an iframe with postMessage as explained in the following stack overflow: use localStorage across subdomains

Answer 3

How about using cross domain postmessage and iframes?

So on your wrong-domain-page you include an iframe that posts messages with the cookie data back.

Here is a solid example of cross domain postmessages: http://blog.teamtreehouse.com/cross-domain-messaging-with-postmessage

live example: http://codepen.io/anon/pen/EVBGyz //forked sender code with a tiiiiiny change :) :

window.onload = function() {
    // Get the window displayed in the iframe.
    var receiver = document.getElementById('receiver').contentWindow;

    // Get a reference to the 'Send Message' button.
    var btn = document.getElementById('send');

    // A function to handle sending messages.
    function sendMessage(e) {
        // Prevent any default browser behaviour.
        e.preventDefault();

        // Send a message with the text 'Hello Treehouse!' to the new window.
        receiver.postMessage('cookie data!', 'http://wrong-domain.com');
    }

    // Add an event listener that will execute the sendMessage() function
    // when the send button is clicked.
    btn.addEventListener('click', sendMessage);
}

Receiver code:

window.onload=function(){
    var messageEle=document.getElementById('message');
    function receiveMessage(e){
        if(e.origin!=="http://correct-domain.com")
        return;
        messageEle.innerHTML="Message Received: "+e.data;
    }
    window.addEventListener('message',receiveMessage);
}

Answer 4

You might try this cross-storage from Zendesk. Basically, There are hubs and clients:

• hubs: reside on any server, interact directly with LocalStorage API

• clients: load the hub using an embedded iframe, and post messages, interact with data

Key things is you can configure the permission (get, set, delete) that each host or domain client could have. The library is divided into two types of components: hubs and clients.

Care should be made to limit the origins of the bidirectional communication. As such, when initializing the hub, an array of permissions objects is passed. Any messages from clients whose origin does not match the pattern are ignored, as well as those not within the allowed set of methods. The set of permissions are enforced thanks to the same-origin policy. However, keep in mind that any user has full control of their local storage data - it's still client data. This only restricts access on a per-domain or web app level.