Skip to main content

Posts

Showing posts with the label xss

php, ajax authentication on external domain

By User
Suppose I have domain-a.com (A) and domain-b.com (B) I'd like to be able to share php sessions between the two domains unifying logins in a way that once the user is logged to A is automatically logged into B and vice versa. Now, the problem I'm facing is that even if I managed to have the browser talk via ajax to an external domain via the Access-Control-Allow-Origin header it won't set cookies (please don't tell me "you can't set/get cookies for another domain, this is not the problem") here's the flow: A sends credentials to B if credentials are OK -B answers with the SESSID made in order to be consistent with the user credentials (so that it can be generated both ways ie: login from A or login from B), this will be used later to share the session created on B -At the same time I'd like that B could write cookies for its domain, but so far I wasn't able. What I need here is very simple, once that the credentials from A are...
1 comment
Read more

Send custom message from iframe guest to iframe host where host HTML from portlet

By User
I'm trying to send a custom message from an iframe guest to an iframe host using jQuery (We are developing both guest and host). The guest and host are on the same domain but on different ports. Also, the iframe host is being rendered from a portlet within a Liferay portal instance (5.2.3) and the portal mangles the host URL of the portlet. The host and guest URLs look like: host: http://localhost:8080/host/foo/bar?p_p_id=portletname_WAR_portletname_INSTANCE_nNz9&... guest: http://localhost:8081/guest I know that trying to do this messaging violates the same origin policy enforced by browsers. To get around this I've looked at using PortHole, EasyXDM and the jquery-postmessage-plugin. The problem I have is this: For these libraries to work the sender (iframe guest) needs to know the host url but cannot know the mangled portlet host url in advance.
Post a Comment
Read more

One jQuery Instance, Two Domains

By User
I have two pages: a.example.com and b.example.com a.example.com includes jQuery a.example.com contains an iframe pointing to b.example.com both pages have document.domain set to the same parent domain, example.com How can I use the jQuery include from a.example.com to call $.ajax({ url: " b.example.com " }) from inside the b.example.com iframe? In other words: Both pages can currently access the Javascript of one another, but I can not get the AJAX call to function without throwing XSS errors. That is, without including jQuery on b.example.com too. How do I avoid including jQuery twice? Example of the contents of the iframe: <script> document.domain = "example.com"; function proxyAjax() { var jQueryParent = parent.$.sub(); // Chrome gives error: XMLHttpRequest cannot load http://b.example.com/. Origin http://a.example.com/ is not allowed by Access-Control-Allow-Origin. jQueryParent.ajax({ url : "http://b.example.com/...
Post a Comment
Read more