Geek Answers Handbook

How does a single domain policy work in pop-ups when a URL is configured to run JavaScript?

I want to do something like this:

var w = window.open("javascript: makeAnAjaxRequest();");

My question is: will an Ajax request (executed after opening a new window) be considered as a cross site? Is a single domain policy used for the source domain whose page created the window?

In resposne, some of your comments:

someAjaxFunction() just needs to make an Ajax request and be able to work with the result. I understand that the function must be defined in the window that opens. No problems; I have a miniature ajax function that I use that I can enter in the URL. The bottom line is to see what restrictions apply to the request; that is, in what area will a single domain policy be applied for?

+6
javascript ajax cross-domain
source share
2 answers

Some info from google: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_DOM_access

Without additional classifiers, the term “single-source policy” most often refers to a mechanism that regulates the ability of JavaScript and other scripting languages ​​to access DOM properties and methods in domains (link). In essence, the model comes down to this three-step decision-making process:

If the protocol, host name, and - for browsers other than Microsoft Internet Explorer - are the port number for two interacting pages, access is granted without further verification. Any page can set the document.domain parameter to the right, fully qualified fragment of the current host name (for example, foo.bar.example.com can set it to example.com, but not ample.com). If two pages explicitly and mutually set their respective document.domain parameters to the same value, and the remaining checks of the same origin are satisfied, access is granted. If none of the above conditions is met, access is denied.

Information from Mozilla

I cannot access the properties of the new secondary window. I always get an error message in the javascript console with the message "Error: Unexplained exception: Permission denied to get property. Why is this?

This is due to a security restriction between the script domains (also called the "Same Origin Policy"). A script loaded into a window (or frame) from another source (domain name) cannot receive or set the properties of another window (or frame) or the properties of any of its HTML objects originating from another distinctive origin (domain name), therefore Before executing script targeting the secondary window, the browser in the main window will check that the secondary window has the same domain name. More information on the cross-domain security restriction script: http://www.mozilla.org/projects/secu...me-origin.html

So your answer

  • So, if the protocol, hostname and port are the same for all browsers, but IE, this is the same domain
  • If the protocol and host name match IE, this is the same domain

Otherwise, you are limited.

EDIT is the real answer

window.open('javascript:doFunction()') do nothing but open a new empty window that will do nothing, because doFunction is undefined. It should be defined in the same window.

Sidenote I can execute an xhr request of the same origin by entering ajax into the URL directly, but it is still subject to the same domain policy.

 x = window.open('javascript:x = new XMLHttpRequest; x.open("GET", "http://medero.org", false); x.onreadystatechange = function(){ if ( x.readyState != 4 ) { return; }; alert(x); alert( x.responseText );}; try {x.send(null); } catch (e) { alert(e)}; alert("ok"); ');

In Firefox, it does not work. And I have not tested it at MSIE yet. But

Tests:

( failure ) Chrome 7 (console) from http://stackoverflow.com:80

 >>> x = window.open('http://google.com', 'fds', 'width=200, height=300') >>> x.document.body.innerHTML='test'; TypeError: Cannot read property 'body' of undefined

( success ) Chrome 7 (console) from http://stackoverflow.com:80

 >>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300') >>> x.document.body.innerHTML='test'; "test"

( crash ) Firefox 3.6 (console) from http://stackoverflow.com:80

 >>> x = window.open('http://google.com', 'fds', 'width=200, height=300') >>> x.document.body.innerHTML='test'; Permission denied for <http://stackoverflow.com> to get property Window.document from <http://www.google.com>.

( success ) Firefox 3.6 (console) from http://stackoverflow.com:80

 >>> x = window.open('http://stackoverflow.com', 'fds', 'width=200, height=300') >>> x.document.body.innerHTML='test'; "test"

( crash ) Firefox 3.6 (console) from http://stackoverflow.com:80

 $.ajax({ url:'http://bing.com', success:function(data) { alert(data) // blank alert } })

( success ) Firefox 3.6 (console) from http://stackoverflow.com:80

 $.ajax({ url:'http://stackoverflow.com', success:function(data) { alert(data) // success } })
+4
source share

A new window opens like this: empty, and then runs javascript in the context of this window. The execution of AJAX requests from this window, according to the comments of the medic, will fail because the protocol does not match, so you cannot open any http: url for connection.

Your question can be improved if you indicate what you are really trying to do, and not just be curious ...

0
source share

More articles:


All Articles