Same Origin Policy -- clarifications?

[Jeremy J Starcher]

On a web-forum I chat at, there are multiple lists of posts.

The forum, hosted on multiple servers, allows us to upload graphics and
Javascript to "skin" our particular forum. In addition, the forums are
broken into categories.

Simplified example:
tech.invalid.com
pets.invalid.com


Each of the sites, 'tech' 'pets' etc, has a See-Recent, which will show
the last 50 posts in that particular branch of the forum, but it does NOT
have a 'See-everything-recent' option. I've been asked to code one, if I
can.

Based on my exploring, it looks like the Same Origin Policy has really
gotten stricter than the last time I ran up against, almost a decade
ago. With so much out-dated stuff out there on the 'net anymore, I'm not
sure what the current state of security is.

From 'tech.invalid.com' I cannot access the See-Recent from
'pets.invalid.com' either through an iframe nor HttpRequest. Fair
enough, I understand the security reasons on why not.

My questions:

a) if someone on pets.invalid.com hosted a Javascript file for me, could
I load my script from a the pets server and have it access that pets
server freely, even though the main web page is hosted on the tech server?

b) On one of the busier servers they have a load-balancing system that
307 to a secondary server. This server is usually specified by IP
address. What effect does this have on the SOP?

 

[Thomas 'PointedEars' Lahn]

[...]
The forum, hosted on multiple servers, allows us to upload graphics and
Javascript to "skin" our particular forum. In addition, the forums are
broken into categories.

Simplified example:
tech.invalid.com
pets.invalid.com

[...]
Based on my exploring, it looks like the Same Origin Policy has really
gotten stricter than the last time I ran up against, almost a decade
ago. With so much out-dated stuff out there on the 'net anymore, I'm not
sure what the current state of security is.

AFAIK there really has not changed anything regarding "DOM Level 0" objects.

From 'tech.invalid.com' I cannot access the See-Recent from
'pets.invalid.com' either through an iframe

You should be able to. Have you set document.domain = "invalid.com" before?

nor HttpRequest.

document.domain does not apply to XHR, you are stuck here unless you use a
server-side proxy script.

a) if someone on pets.invalid.com hosted a Javascript file for me, could
I load my script from a the pets server

Yes.

<script type="text/javascript" src="http://pets.invalid.com/foo.js">

and have it access that pets server freely, even though the main web page
is hosted on the tech server?

Depends. Besides, although it is unlikely that both sites are hosted on
different servers, it does not really matter. What only matters here is the
different domain of the URLs the Web sites are accessed with. This does not
have changed since "DOM Level 0".

b) On one of the busier servers they have a load-balancing system that
307 to a secondary server. This server is usually specified by IP
address. What effect does this have on the SOP?

None whatsoever, as the original request URI and therefore its domain part
does not change.


PointedEars

 

[Jeremy J Starcher]

[...]

AFAIK there really has not changed anything regarding "DOM Level 0"
objects.

From 'tech.invalid.com' I cannot access the See-Recent from
'pets.invalid.com' either through an iframe

You should be able to. Have you set document.domain = "invalid.com"
before?

*nods* From everything I understand, document.domain needs to be set on
BOTH documents for this to work. In my case, I only have access to one
but not the other.

document.domain does not apply to XHR, you are stuck here unless you use
a server-side proxy script.

*nods* I was afraid of that. In my case would mean a third-party
server. More effort than its worth.

Yes.

<script type="text/javascript" src="http://pets.invalid.com/foo.js">


Depends. Besides, although it is unlikely that both sites are hosted on
different servers, it does not really matter. What only matters here is
the different domain of the URLs the Web sites are accessed with. This
does not have changed since "DOM Level 0".

*nod* Understood.

None whatsoever, as the original request URI and therefore its domain
part does not change.

That one surprises me, but it does make sense. I figured the /final/ URI
would be the one that mattered.

Thanks for help, Thomas.

Looks like a am biting off a bigger project than I can chew and that it
can't be done entirely client-side without access to either a) a separate
proxy server or b) access to the forum server to change a few things.

There used to be a bunch of loopholes in Same Origin Policy last time I
looked at it. Things are no longer the same. Oh well. The world must
be for the better because of it.