same-origin-policy

问题 tl;dr; About the Same Origin Policy I have a Grunt process which initiates an instance of express.js server. This was working absolutely fine up until just now when it started serving a blank page with the following appearing in the error log in the developer's console in Chrome (latest version): XMLHttpRequest cannot load https://www.example.com/ No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4300' is therefore not allowed access. What

问题 I have the following page <!DOCTYPE html> <html> <script type="text/javascript"> function loopLink(i) { window.open($('#iframe_a').contents().find('.image-navigator-mid a').attr('href'),'iframe_a'); setTimeout(function() { if (i < 3) loopLink(i+1); }, 5000); } // Wait for the page to load first window.onload = function() { var a = document.getElementById("mylink"); a.onclick = function() { loopLink(0); return false; } } </script> <iframe src="http://nanofate.us/content/fate-new-hair-style

问题 I've read a lot of content online about cookies, but nothing addressing this question: Let's say I have a server at a.com and a web page served by b.com embeds a script in that web page which lives on my server: <script src='a.com/script.js'></script> What is that script allowed to do in terms of setting cookies? Can it set a cookie with domain=a.com ? I'd assume so since the script is served from that domain. Can it also set a cookie with domain=b.com since the page is served from that

问题 I have a question regarding a potential security issue/limitation regarding JavaScript hosted on a domain (ex: domain of a CDN, say example.com), but loaded from a website under a different domain (say, example.net). Now imagine that the JavaScript loaded will just read/modify text in a div with a particular id, so nothing "complicated". An example: I have the script loaded from http://example.com/myscript.js, and executed on http://example.net/index.html: [note the different TLD!] <!-- Page

问题 I have to print a specific file which is in iframe . My view_file.ejs: <div id="viewframe"> <iframe id="viewfile" name="viewfile" src='https://docs.google.com/viewer?url=<%= urlencode.encode(img) %>&embedded=true' style="width: 100%;height:900px" frameborder="0" scrolling="no" seamless="" allowfullscreen="allowfullscreen"> </iframe> </div> Here img(which is a variable i have used inside urlencode.encode) is a link from aws s3 bucket Print button: <div class="right_blk"> <span class="versions"

问题 I've been investigating frame breaking code recently and have come across some really bizarre behavior related to the same origins policy that I am having trouble understanding. Suppose I've got a page Breaker.html on domain A, and a page Container.html on domain B. The example frame breaker code would go into Breaker.html, like below: if (top !== self) top.location.href = self.location.href; This will successfully break Breaker.html out of Container.html, but I don't understand why it should

问题 In my WCF service I was getting 405 method not allowed error and then came across a post which suggest to have the following in Application_BeginRequest of my WCF host: protected void Application_BeginRequest(object sender, EventArgs e) { if (HttpContext.Current.Request.HttpMethod == "OPTIONS") { HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Accept, Content-Type,customHeader"); HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS")

问题 I want to load in content from another site (essentially I want to check if something is on the page). I know the same origin policy makes this difficult, but I was wondering if there is a way around it. I looked into using this: http://api.jquery.com/jQuery.getJSON/ Is there a better, simpler way? It looks like that is only for JSON. Thanks 回答1: You can use dataType: "jsonp" but I believe this requires that the entire page you're loading via ajax be in JSON format (which it probably isn't).

问题 I want to load in content from another site (essentially I want to check if something is on the page). I know the same origin policy makes this difficult, but I was wondering if there is a way around it. I looked into using this: http://api.jquery.com/jQuery.getJSON/ Is there a better, simpler way? It looks like that is only for JSON. Thanks 回答1: You can use dataType: "jsonp" but I believe this requires that the entire page you're loading via ajax be in JSON format (which it probably isn't).

问题 I'm having trouble connecting some dots having recently learned of JSONP. Here's my understanding: Cross-domain XmlHttpRequests for any content (including JSON) is banned, due to the same origin policy. This protects against XSRF. You are permitted to have a script tag with a src that returns JSONP - some JSON padded inside a call to a Javascript function (say 'Foo') You can have some implementation of 'foo' on the page that will get called when the JSONP data is returned, and you can do