same origin policy in external js file - javascript

if in the website http://www.mysite.com there's an external js file added as
<script src="http://www.yoursite.com/new.js"></script>
within the http://www.yoursite.com/new.js js file, there's an ajax call to a script in http://www.yoursite.com/new.js
in such a case will there be the same-origin policy security problem, as it's calling a script in a site from another website?

There will be a problem. new.js run in the scope of mysite.com, not yoursite.com.
EDIT: a more detailed explanation would be: when mysite.com is openning a tag, that script runs in the scope of the current page. The source of the script does not matter: it can be inline, local source, or remote source, it is still considered part of mysite.
As you know, scripts in mysite.com cannot access anything on yoursite.com due to the same origin policy. So you cannot do this.
As an advanced option for cross-origin communication look at jsonp. It will require yoursite.com to provide a special handling, but if you have control on both sites then this should not be a problem.

JSONP is precisely what you're looking for: http://en.wikipedia.org/wiki/JSON
The 5,000m overview is that JSONP uses the same mechanism for requesting external scripts as you're using above. The difference is that your server will recognise this and will package up the JSON response as the argument to a callback method. When your site receives this 'script', it executes it thereby returning the data directly into your callback method.
If you are able to use a framework like jQuery, most of the client side would be transparently handled for you. Check it out here: http://api.jquery.com/jQuery.getJSON/

Related

Clarification of cross-domain AJAX?

I'd like to get some clarification on what cross-domain AJAX means in terms of the mechanics behind it.
Say for example, I have a website http://www.example.com. This website contains a javascript file, which within contains several standard jQuery based AJAX calls (e.g. $.post(), $.get() etc), located at http://www.example.com/js/script.js.
Now, I have another website http://www.helloworld.com, which contains the following;
<script type="text/javascript" src="http://www.example.com/js/script.js"></script>
Would the AJAX requests within http://www.example.com/js/script.js which make requests to http://www.example.com be considered "cross-domain" and therefore carry compatibility issues when the file is included on http://www.internet.com?
Any answers would be great!
JS is executed on the client side, so it doesn't matter where the source of the file resides, it'll be executed from the domain in the address bar.
In order to be able to include a javascript from another domain, the sever that serves that JS need to provide the file with the correct headers.
In particular the headers need to have the Access-Control-Allow-Origin set for the domain requiring a cross-domain JS.
Just for test purpose you might want to run Chrome with the parameter --allow-file-access-from-files and it won't stop cross origin requests.

Limit Javascript script Internet access

I have a webpage with a master script that connects, via AJAX, to a remote server and downloads unsecure JS scripts (let's call them slave scripts), to be executed lately on the client. I would like to limit the Internet access slave scripts have; e.g. they can communicate just with the remote server.
Do you have any idea of how can I achieve this?
Thanks,
Laurențiu Dascălu
You can't.
JavaScript AJAX calls will have access to whatever the browser has access to.
Your best bet would be attempt to create a third JavaScript component to proxy the slave script calls through. That component would be responsible for ensuring that the slave scripts weren't calling any URLs that they shouldn't be.
The downside, of course, is that anybody can download and modify all of your scripts anyway...which means that any proxy would be easy to overcome.
Use Caja. It can convert untrusted Javascript into safe Javascript which can only access specific resources as defined by you.
Run the scripts in an iframe hosted on a different domain, and the browser same-origin security policy should make it more secure.

Call JavaScript function from remote server

I tried to call JavaScript function exist on some server(server1) from another server(server2) and I got this error:
Unsafe JavaScript attempt to access frame with URL https://server1/ from frame with URL https://server2/ . Domains, protocols and ports must match.
I used JSP, Java, JavaScript and tomcat7, is there any way to solve this problem? any help will be appreciated.
Yes, must add a cross-origin rule to the header of your javascript file, which allows access from your other server.
Otherwise, your Browser doesn´t let you do that.
You can look at the answer of this Question: XmlHttpRequest error: Origin null is not allowed by Access-Control-Allow-Origin
It should tell you how to do it.
Take a look at easyXDM - it provides an RPC feature allowing you to call methods across the Same Origin Policy.
Take a look at one of the demo's here
As described you are subject to the Same Origin Policy, this is designed to protect users.
Google have a good write-up: http://code.google.com/p/browsersec/wiki/Part2.
There are several typical approaches to working around this:
jquery has a getJson or jsonp type of function. most other js libs have something similar. They use a dynamic Script tag, suitable for GET requests from other domains.
Create a servlet on domain1 that proxies to domain2 - allows unrestricted HTTP methods and use of XmlHTTPRequest.
I've not tried http://easyxdm.net/wp/
There are improvements coming, like cross document messaging in HTML5

Avoid x-domain solutions

I'm currently working on a web application that customers can add to their webpages by adding a javascript link to a js file on my server. The application read all the javascriptfiles from my sever, but I still get an error when trying to use ajax to get data from my database. I didn't think that would be a problem because the files is on my server.
Can I fix this or do I have to make a cross-browser solution? I don't have any control over the costumers server.
Thanks in advance
Mikael
This is not possible: When you execute a remote script, it runs in the context of the containing document.
There are some popular workarounds for this:
Using an iframe, which fixes the cross-domain problem but doesn't integrate well with the remote site (e.g. no custom styling)
Using JSONP to make cross-domain Ajax requests (detailed explanation here)
Using a server-side proxy script (not an option in this scenario)
Using YQL (I'm not familiar with this but it's said to work)
The same origin policy is based on the host document not the script itself.
You need to use a cross domain ajax technique.

Javascript support in C++ WebBrowser Control? - Same Domain Bypass?

I can't seem to get all Javascript functionality to work on the WebBrowser Control (linked below)
This could possibly be due to the same-domain issue - local html files have some ajax that calls address on external server. Is there a way to modify the control to omit the same domain?
http://msdn.microsoft.com/en-us/library/aa752040(VS.85).aspx
XMLHttpRequest (ajax) does not work cross domain, unless you proxy your requests to be on the same domain, though this will not work for local html files run from the disc without a server.
The alternative is JSONP, which works anywhere.
see: What is JSONP all about?
Yes you can implement IInternetSecurityManager::GetSecurityId on the host to return the same value for the script urls you want to put in the same domain.

Categories