J
Jeremy J Starcher
On a web-forum I chat at, there are multiple lists of posts.
The forum, hosted on multiple servers, allows us to upload graphics and
Javascript to "skin" our particular forum. In addition, the forums are
broken into categories.
Simplified example:
tech.invalid.com
pets.invalid.com
Each of the sites, 'tech' 'pets' etc, has a See-Recent, which will show
the last 50 posts in that particular branch of the forum, but it does NOT
have a 'See-everything-recent' option. I've been asked to code one, if I
can.
Based on my exploring, it looks like the Same Origin Policy has really
gotten stricter than the last time I ran up against, almost a decade
ago. With so much out-dated stuff out there on the 'net anymore, I'm not
sure what the current state of security is.
From 'tech.invalid.com' I cannot access the See-Recent from
'pets.invalid.com' either through an iframe nor HttpRequest. Fair
enough, I understand the security reasons on why not.
My questions:
a) if someone on pets.invalid.com hosted a Javascript file for me, could
I load my script from a the pets server and have it access that pets
server freely, even though the main web page is hosted on the tech server?
b) On one of the busier servers they have a load-balancing system that
307 to a secondary server. This server is usually specified by IP
address. What effect does this have on the SOP?
The forum, hosted on multiple servers, allows us to upload graphics and
Javascript to "skin" our particular forum. In addition, the forums are
broken into categories.
Simplified example:
tech.invalid.com
pets.invalid.com
Each of the sites, 'tech' 'pets' etc, has a See-Recent, which will show
the last 50 posts in that particular branch of the forum, but it does NOT
have a 'See-everything-recent' option. I've been asked to code one, if I
can.
Based on my exploring, it looks like the Same Origin Policy has really
gotten stricter than the last time I ran up against, almost a decade
ago. With so much out-dated stuff out there on the 'net anymore, I'm not
sure what the current state of security is.
From 'tech.invalid.com' I cannot access the See-Recent from
'pets.invalid.com' either through an iframe nor HttpRequest. Fair
enough, I understand the security reasons on why not.
My questions:
a) if someone on pets.invalid.com hosted a Javascript file for me, could
I load my script from a the pets server and have it access that pets
server freely, even though the main web page is hosted on the tech server?
b) On one of the busier servers they have a load-balancing system that
307 to a secondary server. This server is usually specified by IP
address. What effect does this have on the SOP?