Friday, March 18, 2005

Cross-domain security woes

You're developing an Ajax-based application. You have an application server at example.com which serves up all your JavaScript, HTML and CSS, and a data server at xml.example.com which delivers all the XML data to the application via a hidden IFRAME.

You know that cross-domain security will prevent any JavaScript from accessing the data in the IFRAME. so, you configure the data server to set the security domain of the IFRAME to "example.com" — the common suffix between the two domains — with a small piece of JavaScript:

<script type="text/javascript">
  document.domain="example.com";
</script>

Having done this, you test your application and get a "permission denied" error. What happened?

Depending on your browser, it may not be enough to only set the security domain of the IFRAME. You must set all of the frames and windows to the same domain, too. This is true even if the domain name you're trying to set already matches the domain of the server that's currently serving the page. For example, if you have two frames with pages served from example.com and you use JavaScript to set the security domain of one frame to "example.com" the frames will be unable to communicate.

Older browsers might let you get away with this.

22 Comments:

At 9:27 AM, Blogger Joseph said...

Brilliant, thanks for posting this! I was really stuck and this was an instant fix. :)

 
At 1:49 AM, Blogger foxy123123 said...

Blogger I was just searching blogs for information on Web Development Infomation , and I can across Cross-domain security woes .
I also have a Web Development Infomation site. You might find it helpful.
You should check it out sometime if you get a chance :-)

 
At 2:56 AM, Blogger Interad said...

Great blog!, Good to see you.
I am sure that your blog page looks great to me which mean looking crowded so, My site - GlobalNames.com - open event during one month domain name register.
http://www.globalnames.com You better check it out some time.

 
At 6:28 AM, Blogger Interad said...

Great blog!, Good to see you.
I am sure that your blog page looks great to me which mean looking crowded so, My site - GlobalNames.com - open event during one month domain name register.
http://www.globalnames.com You better check it out some time.

 
At 1:47 PM, Blogger Interad said...

Great blog!, Good to see you.
I am sure that your blog page looks great to me which mean looking crowded so,
My site - Global Domain Name Registrations - open event during one month cheap domain parking. You better check it out some time.

 
At 2:24 PM, Blogger Interad said...

Great blog!, Good to see you.
I am sure that your blog page looks great to me which mean looking crowded so,
My site - Global Domain Name Registrations - open event during one month domain name register. You better check it out some time.

 
At 6:46 PM, Blogger TheDevilIsInTheDetails said...

Not much to say besides the fact that coming to Register Better would be a good decision in regards to domain name search !

 
At 10:51 AM, Blogger thirstypeanut said...

Aha! I finally got my company to change a domain so we'd use the same top 2 dots and in the time we'd lived like this the browsers were "updated" with this security patch. I can't even read parent.document.domain now :(

Dropping IE's security zone to Low gets around it, but that's hardly advisable.

...but at least I got something to change around here

 
At 5:50 AM, Blogger HiiFii Webservices said...

I liked you Blog so much,so i also wanted to show you some good resourses on the net.
Learn to earn 90000$/Month
For which you may also see my Personal Website
Here.
and for a Personal Education Career Tools
free Study Database.
This site is for seeing the
Hifi Electronics.
And this is for
World Class Gadgets

 
At 3:19 PM, Blogger poker-bingo said...

Great post.

If you are into gambling or poker visit the best party poker bonus place on the internet. More bonuses are also available on Poker bonus.

If you are looking for freerolls try freeroll poker loads of free cash for gambling.

 
At 7:02 AM, Blogger Aaron said...

This post is almost a year old now, but because it came up in a Google search and was helpful, I thought I would add one more thing.

Even if you use the clever JavaScript "document.domain" to change the domain of all frames involved in the page, you must either add ALL or NONE of the specific URLs to the Trusted Sites in IE.

In other words, this technique works flawlessly and universally in Firefox, but if you have, for example, a parent page coming from x.company.com, and an IFRAME containing a page from y.company.com that are trying to share content, and x.company.com is in your Trusted Sites (but NOT y.company.com), you get a Permission Denied error.

You must add http://x.company.com and http://y.company.com to your Trusted Sites in IE to get this to work.

Just something to let your customers know.

 
At 4:23 AM, Blogger ravi g said...

I tried using ur document.domain
But I am not able to load a xml in mozilla with this script from a cross domain

 
At 4:23 AM, Blogger ravi g said...

I tried using ur document.domain
But I am not able to load a xml in mozilla with this script from a cross domain

 
At 5:14 PM, Blogger Iza Firewall said...

This comment has been removed by the author.

 
At 12:17 PM, Blogger docsharp01 said...

Excellent comments and great post!
One of the LARGEST online slots casino that accepts players from the USA is Free Slots Casinos which has 98% payouts and bonuses!

 
At 1:59 PM, Blogger docsharp01 said...

Excellent article and commentary! Online Penny Slots

 
At 6:20 PM, Blogger satxxkenn said...

Cool blog - Check out my site if you need help finding a good low interest credit card. Credit Cards

 
At 11:12 AM, Blogger Girish said...

Hey

It makes sense for browsers to try and stop cross domain javascript as it can easily lead to spamming or hacking other computer. However in certain cases you just have to communicate cross domain. Several tricks exist for this.

The one which has caught up lately is the Cross Domain Message Passing using Iframe
(here is the article http://www.mabaloo.com/Web-Development/Cross-Domain-Message-Passing-using-Iframe.html)

Another way to do this is to create a proxy on the root server which relays the request for communication to other server. An article explaining this
(Here is the article
http://www.mabaloo.com/Web-Development/Pear-HTTP-Request-A-Cross-Domain-AJAX-focused-tutorial.html)

 
At 9:16 PM, Blogger abigail said...

Hi Nice Blog .At Free online bingo cash site is seen as socially acceptable even though it is technically gambling. From the point of view of many players it is not seen as gambling at all but rather as more of a social gathering online that just happens to have bingo as the catalyst for a common interest.

 
At 10:46 AM, Blogger Anant said...

I am new to web developement, I am trying to update parent window text box from child window by using opener property. But it gives me access denied error, the parent window is simple html file and child window is cold fusion file with javascript. i checked both file domain property, they are same. any pointers for this issue.

any help would be appriciate

 
At 1:52 AM, Blogger Laurens said...

This still secks. Cause its not really cross-domain.

i got a problem:
www.web1.com has an iframe that implements www.web2.com/default.hmtl

But the script on www.web2.com doesnt have access to his parent.

Thats what i call cross domain.

any of u know a solution to this?

 
At 12:01 AM, Blogger Swarnendu said...

I am getting the same problem even in same domain. I am accessing a parent variable from an iframe as parent.variableName.

Now, sometimes this gives me an error saying document.domain not set. If I set that, for the time being it works perfectly. But it starts showing another error in a few days - which gets resolved only when I remove that document.domain property.

The main problem is, everything is in same domain and I don't know when this error will come. I can't set document.domain permanently and also can not remove it permanently.
This is strange and I don't know if there is a way to check when this problem will come.

 

Post a Comment

<< Home