How to avoid JS domain rules in a controlled env? (IE)

[Svend Tofte]

Hey,

I'm doing some webapplications, and in one of them, I want to open a
page, from another domain. This is running internally, with full
control over the enviroment. However, even adding the two domains in
question to the trusted sites list will not let anything work.

I looked through the security settings for IE, and I don't see anything
in there that seems pertinent, except for the "data sources" one, which
I suspect is that IE4 data stuff.

The actual code opens the foreign popup in a modal dialog (IE only,
etc), and I then set the returnValue of the dialog, which is then
returned to the calling script.

Is there ANY way, any combination of settings, that will let me mess
with pages from other domains?

Regards,
Svend

 

[Martin Honnen]

Svend Tofte wrote:

Is there ANY way, any combination of settings, that will let me mess
with pages from other domains?

Write a HTML application (HTA) then, start with saving your local .html
file as .hta instead, that way you can access the DOM of documents
loaded in frames. But I am not sure what happens with a modal dialog in
that case, be careful to check that the URL loaded in the dialog does
not have application rights too if you load stuff you do not control.
HTA application docs are here:
<http://msdn.microsoft.com/library/default.asp?url=/workshop/author/hta/hta_node_entry.asp>

 

[BootNic]

Hey,

I'm doing some webapplications, and in one of them, I want to open a
page, from another domain. This is running internally, with full
control over the enviroment. However, even adding the two domains in
question to the trusted sites list will not let anything work.

I looked through the security settings for IE, and I don't see
anything in there that seems pertinent, except for the "data sources"
one, which I suspect is that IE4 data stuff.

The actual code opens the foreign popup in a modal dialog (IE only,
etc), and I then set the returnValue of the dialog, which is then
returned to the calling script.

Is there ANY way, any combination of settings, that will let me mess
with pages from other domains?

Regards,
Svend

http://jibbering.com/2002/4/httprequest.html

IE only with full control over the enviroment, XMLHTTPRequest may just get you there.

 

[Svend Tofte]

IE only with full control over the enviroment,
XMLHTTPRequest may just get you there.

XMLHTTP may be able to perform cross-domain calls, but the popup is for
the user to browse and select some information. It is this selecting
and browsing which is inside the popup, which is on another domain. I
need to return the result to the opener, if at all possible.

I was reading up on IE, and it seems that the two domains exists as a
subdomain, of the same domain (such as alice.foo.com and bob.foo.com)
you can get access, by setting the domain property to foo.com, in both
windows. However, as this lives as an internal webapp, the URL's are
merely http://webapp1 and http://webapp2, no common "parent" domain.

Routing information via the backend (which XMLHTTP will essentially do)
is to way overengineer the solution. We can, if need be, stick it on
the same domain afterall.

But the question still remains, how to get access, assuming IE only,
and control over enviroment. And, if one cannot, to assert that fact.

Regards,
Svend

 

[Jc]

Svend Tofte wrote:

I was reading up on IE, and it seems that the two domains exists as a
subdomain, of the same domain (such as alice.foo.com and bob.foo.com)
you can get access, by setting the domain property to foo.com, in both
windows. However, as this lives as an internal webapp, the URL's are
merely http://webapp1 and http://webapp2, no common "parent" domain.

<snip>

If the two machines are physically on the same domain (I'm assuming
you're referring to the lack of a common domain in the URL only), you
can likely still use this domain setting, just start accessing the
URL's with fully qualified names instead of only the machine name:
http://webapp1.domain.com and http://webapp2.domain.com.

AFAIK, this domain setting in IE is the only way to get around the
security. Another technique that would work though, is to make both
sites appear to be coming from the same machine. For example, you could
run software on webapp1 that allows requests to be made to webapp2
through a special URL to webapp1, where a server-side application makes
the request on behalf of the user.

There are possibly hardware solutions that can do this as well (serve
content from multiple machines based on URL).