Chrome blocks different origin requests - javascript

When script tries to access a frame from a different origin Chrome blocks it and throws exception as
"Uncaught SecurityError: Blocked a frame with origin 'provider domain' from accessing a frame with origin 'mydomain'. Protocols, domains, and ports must match".
I got this error after some update in google chrome. Any suggestions?

Direct Javascript calls between frames and/or windows are only allowed if they conform to the same-origin policy. If your window and iframe share a common parent domain you can set document.domain to "domain lower") one or both such that they can communicate. Otherwise you'll need to look into something like the postMessage() API.

This is a security update. If an attacker can modify some file in the web server (the JS one, for example), he can make every loaded pages to download another script (for example to keylog your password or steal your SessionID and send it to his own server).
To avoid it, the browser check the Same-origin policy
Your problem is that the browser is trying to load something with your script (with an Ajax request) that is on another domain (or subdomain).
To avoid it (if it is on your own website) you can:
Copy the element on your own server (but it will be static).
You can change your HTTP header to accept Cross-Origin content. See the Access-Control-Allow-Origin documentation for more information.

Related

Possible to intercept XMLHttpRequests coming from inside iframe (same domain)?

I have a page that's loaded using https, and it embeds an iframe on the same domain, also loaded via https.
Inside the iframe, there are some XHR requests to an insecure http URL (the URL is actually to an IP address on the local network) that are being blocked.
Is there any way I can allow the requests to the local IP address? I only have access to edit the code in the parent frame. I can use php or javascript in the parent frame.
Unless you recompile your browser, CORS explicitly prohibits this and no browser would allow it, unless the local IP machine returns valid CORS headers.
See here for CORS headers info:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests

Same Origin Policy limitation

So you can't make a request to another domain under the same origin policy. But does that apply to code you running inside the Chrome JS console with the page of that domain opened? And does that apply to a backend server app making a request to the other domain?
Question1: Chrome
When you run code inside Chrome JS console, you are running code in the context of a given page and you inherit the same security sandbox that the page has. All web pages are subject to CORS restrictions (cross origin resource sharing).
As a side note, cross origin request are allowed if the API you are calling explicitely allows them (which is implemented server side by setting some HTTP headers), or if you use another legacy cross origin technique (hacks) like JSONP.
Question 2: Server side
CORS is a browser thing, to protect web users against malicious JS acting on their behalf (for example, to reconfigure their home router), there is no such thing server side.

Can I use https for local development?

I'm attempting a slight variation of the Google+ web sign-in server side flow as described on the Google Developer's website.
Google's gapi code is giving this error message:
Uncaught SecurityError: Blocked a frame with origin "http://my-development-system.dev" from accessing a frame with origin "https://accounts.google.com". The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "https". Protocols must match.
Am I right in saying that my local development system cannot be set up to use the https protocol?
This is not only to do with a differing protocol (HTTP on your site vs HTTPS on accounts.google.com), it is also because the domain does not match (and port for that matter), a restriction imposed by the Same Origin Policy.
This policy stops www.evil.com from loading a site such as www.bank.com inside a frameset (or popup window if framing is disabled) and then accessing the DOM. If the DOM could be accessed, this would be a massive security risk as any website could read your private data on another site.
It is possible to allow access by implementing a CORS policy and outputting server side headers to allow other specified domains to read content, however this would be on Google's side in your case. So unless https://accounts.google.com implements a CORS policy, you will not be able to make a client-side variation of the server side flow. Another barrier is that even if CORS was implemented it does not allow access to the DOM. However, you'd be able to retrieve content from another domain, protocol or port via AJAX calls. The target site would also have to output the Access-Control-Allow-Credentials: true header in order for authentication credentials (i.e. cookies in this case) to be sent with the request and the response read by your domain.
Can I use https for local development?
To answer your original question, the answer is yes. This can be a self-signed certificate for most purposes and it will not affect this particular error message in your browser (as you, as the browser user has chosen to accept and trust the certificate).
I was wrong in saying that
my local development system cannot be set up to use the https protocol
It can! Simply by using self certification SSL.

Blocked a frame with origin "domain1" from accessing a frame with origin "domain2"

I am having problems while trying to make a page reload whenever the session expires on my website that is contained inside an iframe at a client's domain.
I know that browsers do not allow cross domain control for whatever security reasons, the thing is, I made my client add in every http response two tags like :
"Access-Control-Allow-Origin","domain2"
"Access-Control-Allow-Methods","GET, POST"
In theory,this should tell any browser NOT to block my request to reload the website, but it still keeps on happening.
Is the request being blocked even before domain1 says : ok, I will allow this domain to do whatever it wants to me?
You can't do this with Access-Control-Allow-Origin.
You need to use postMessage: https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage for interactions with iframes.

Making AJAX calls from inside of an iframe with different domain

Is it possible to do AJAX calls from inside an iframe that has a different domain source?
I've tried script injection but it doesn't work because the iframe's source is secure.
I made a simple fiddle with California DMV website here.
I'm getting DOM exception 8 error. Is it a security issue?
It is not possible to modify or make JS calls in an iframe with a different domain source. This is restricted in all browsers for security reasons.
See the "Same Origin Policy" for a description of how inter frame security works. In a nutshell, there is very little communication allowed between frames on a different domain for security reasons. You cannot make any direct Javascript calls between frames on different domains.
There is a way to make cross domain ajax calls and it involves using JSONP. Basically, you inject a script tag into your own frame and that script tag points to server endpoint anywhere on the web. Since the src value of a script tag is not restricted by the same origin policy, you can reach that server. But, now you need to have a way to get that result back. That is done using JSONP where you specify in your server request a javascript function that you want the returned javascript to call. That returned javascript can have javascript data in it that is then passed to the desired function. JSONP requires cooperation between both client code and the server code since a normal ajax call might not support the extra part of JSONP. But, with this cooperation of both sides, you can get around the same origin policy for server endpoints that support JSONP.
HTML5 has a new messaging system that can safely communicate data (not direct JS calls) between cooperating frames in different domains. See here and here for a description of how the HTML5 messaging works.
Yes it's a security issue because of the Same Origin Policy enforced by most browsers: http://en.wikipedia.org/wiki/Same_origin_policy .
You can look into JSONP http://niryariv.wordpress.com/2009/05/05/jsonp-quickly/ which is specifically designed to get around this.

Categories

Resources