Friday, March 18, 2005

Cross-domain security woes

You're developing an Ajax-based application. You have an application server at example.com which serves up all your JavaScript, HTML and CSS, and a data server at xml.example.com which delivers all the XML data to the application via a hidden IFRAME.

You know that cross-domain security will prevent any JavaScript from accessing the data in the IFRAME. so, you configure the data server to set the security domain of the IFRAME to "example.com" — the common suffix between the two domains — with a small piece of JavaScript:

<script type="text/javascript">
  document.domain="example.com";
</script>

Having done this, you test your application and get a "permission denied" error. What happened?

Depending on your browser, it may not be enough to only set the security domain of the IFRAME. You must set all of the frames and windows to the same domain, too. This is true even if the domain name you're trying to set already matches the domain of the server that's currently serving the page. For example, if you have two frames with pages served from example.com and you use JavaScript to set the security domain of one frame to "example.com" the frames will be unable to communicate.

Older browsers might let you get away with this.

9 Comments:

At 10:51 AM, Blogger thirstypeanut said...

Aha! I finally got my company to change a domain so we'd use the same top 2 dots and in the time we'd lived like this the browsers were "updated" with this security patch. I can't even read parent.document.domain now :(

Dropping IE's security zone to Low gets around it, but that's hardly advisable.

...but at least I got something to change around here

 
At 5:50 AM, Blogger HiiFii Webservices said...

I liked you Blog so much,so i also wanted to show you some good resourses on the net.
Learn to earn 90000$/Month
For which you may also see my Personal Website
Here.
and for a Personal Education Career Tools
free Study Database.
This site is for seeing the
Hifi Electronics.
And this is for
World Class Gadgets

 
At 3:19 PM, Blogger poker-bingo said...

Great post.

If you are into gambling or poker visit the best party poker bonus place on the internet. More bonuses are also available on Poker bonus.

If you are looking for freerolls try freeroll poker loads of free cash for gambling.

 
At 5:14 PM, Blogger Unknown said...

This comment has been removed by the author.

 
At 12:17 PM, Anonymous Anonymous said...

Excellent comments and great post!
One of the LARGEST online slots casino that accepts players from the USA is Free Slots Casinos which has 98% payouts and bonuses!

 
At 11:12 AM, Blogger girish13 said...

Hey

It makes sense for browsers to try and stop cross domain javascript as it can easily lead to spamming or hacking other computer. However in certain cases you just have to communicate cross domain. Several tricks exist for this.

The one which has caught up lately is the Cross Domain Message Passing using Iframe
(here is the article http://www.mabaloo.com/Web-Development/Cross-Domain-Message-Passing-using-Iframe.html)

Another way to do this is to create a proxy on the root server which relays the request for communication to other server. An article explaining this
(Here is the article
http://www.mabaloo.com/Web-Development/Pear-HTTP-Request-A-Cross-Domain-AJAX-focused-tutorial.html)

 
At 10:46 AM, Blogger Unknown said...

I am new to web developement, I am trying to update parent window text box from child window by using opener property. But it gives me access denied error, the parent window is simple html file and child window is cold fusion file with javascript. i checked both file domain property, they are same. any pointers for this issue.

any help would be appriciate

 
At 1:52 AM, Blogger Unknown said...

This still secks. Cause its not really cross-domain.

i got a problem:
www.web1.com has an iframe that implements www.web2.com/default.hmtl

But the script on www.web2.com doesnt have access to his parent.

Thats what i call cross domain.

any of u know a solution to this?

 
At 12:01 AM, Blogger Swarnendu said...

I am getting the same problem even in same domain. I am accessing a parent variable from an iframe as parent.variableName.

Now, sometimes this gives me an error saying document.domain not set. If I set that, for the time being it works perfectly. But it starts showing another error in a few days - which gets resolved only when I remove that document.domain property.

The main problem is, everything is in same domain and I don't know when this error will come. I can't set document.domain permanently and also can not remove it permanently.
This is strange and I don't know if there is a way to check when this problem will come.

 

Post a Comment

<< Home