I have three servers:
Server A: Main Application host
Server B: Host for another application which opens up in Main application as an openScoial Gadget
Server C: Host for the OpenSocial specification file for the application on server B
Now, I access application on server A, but I get error saying access denied from some javaScript files function.
Seems like some cross domain issue, any help is welcomed.
Are you using any kind of authentication with your gadget? Why is the xml on a different server to the application? Are they also on different domains? What methods are you using to load javascript? Which OpenSocial Container implementation are you using? Are you using locked domains? What have you tried so far?
I can give you some general advice / information, but without answering at least the above questions, I can't understand exactly what your problem is.
OpenSocial gadgets are rendered inside iframes and their domain is chosen by the OpenSocial container rendering them, they are almost never (no cases that I know of) rendered on the domain of the gadget xml. Often this domain will simply be the domain of the parent page / OpenSocial container, unless locked domains is enabled, in which case the gadget will render on a separate, unique domain to prevent it accessing anything from the parent page.
Cross domain policy blocks xhr requests, this is why you need to use gadgets.io.makeRequest for anything you would normally do with xhr, but makeRequest requires some kind of authentication (usually oauth), because this basically involves the OpenSocial container proxying content from the gadget's server (server's C and B in your example). It will still be possible to load javascript / data using JSONP which is not affected by the cross origin policy.
Related
I'm setting up a micro-frontend solution which contains the main integration app which resides in the main window and a bunch of iframes with services (sub apps). This services are SPA's but not necessary and are served from another domains but I can control them. The main app needs to get some configuration from underlying services and it works the following way - the couple of embedded urls integrated into index.html and the main app knows what to load then it needs to wait for events through postMessage API, one per each iframe.
The problem here is that the main app doesn't know if something goes wrong inside an iframe during initialisation stage: the service is down due to different reasons and the app isn't loaded inside an iframe, or the app inside an iframe lost a connection to the server or JS syntax error. The only way to detect that is just using a timeout, but that's not the best UX. A user will wait for example for 30 seconds before seeing an error.
Are there any possible ways to gain an access to iframes from the main window? May be by using CORS? It's clear for XHR requests but I haven't found info regarding iframes and CORS.
Are there any possible ways to gain an access to iframes from the main window?
Only postMessage, which you are already using.
May be by using CORS? It's clear for XHR requests but I haven't found info regarding iframes and CORS.
You cannot use CORS to grant cross origin access via frames.
it is possible to crawl a website within an Angular-App? I am speaking about to call a website from Angular, not crawling an Angular-App. If that so, then I am wondering which IP will be shown on the crawled website. Since JavaScript is client-side, I would suggest, its the IP of the client, not of the server (like probably at nodejs). But all I know, its mostly browser-implemented stuff what we can use in JS, so it is even possible to crawl websites with methods from JavaScript (or Angular)?
Best Regards
Buzz
In theory, you can create an AJAX request to fetch the data with reponse type text/html. That would give you the remote document as a string. The browser wouldn't try to load the JavaScript and CSS in that document, though. That might not be a problem but CORS is. For security reasons, most browsers prevent you from loading data from somewhere else (otherwise, it would be too easy for criminals to put JavaScript into any web page). See here for details: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
If you have control over the second domain, you can configure the server there to send Access-Control-Allow-Origin headers to the browser to allow access from the Angular App.
Note: You could use an iframe to load the other website but when the domains of the current document and the one in the iframe don't match, then you can't access the contents of the iframe from JavaScript.
One way to work around this is to install a proxy on your server. The browser can then ask your server for the pages in question. In this case, the remote web site will get the IP of your server.
I have a web app http://embed.myapp.com that is intended to be embedded on a few whitelisted sites. The frame access is controlled with X-Frame-Options ALLOW-FROM
However, I do not want users to access it by putting in the above link directly in the web browser.
What is the best way to block plain (non-embedded) access?
I can determine whether the site is embedded with javascript, but by that point a session is already created and certain sensitive information such as CSRF tokens can be seen.
You may not quite get an absolutely foolproof way of stopping users from looking at the content directly.
A simple way to catch most cases would be to look at the referer header ( http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html section 14.36) on the server side and only serve the content when it is referred from the correct pages.
I have the main website hosted by a reliable static web hosting service. Which only allow me to host static files like html, css, js etc. Now I have few requirements which would need user Login and data storage. I think I can handle this using App Engine Python.
My app is similar to a Voting module, So i will explain it using its example.
My plan is to configure things something like this:
main website: www.example.com
appengine: gae.example.com
On the main website an anonymous user visits: http://www.example.com/vote.html, he should see current voting status (which has been retrieved from app engine). and a login button (from twitter/facebook). when he logins, he should be able to cast his vote and the vote be saved back to the appengine server.
I can handle most of the things but two. (taking same origin policy into account.)
How do I maintain authentication between two domain names. i.e. www.example.com and gae.example.com.
How do I make HTTP POST request to the gae.example.com from www.example.com and use the returned json data.
Note: I want to avoid iframes as much as possible.
You need to use JSONP.
Subdomains actually violate the same origin policy. This is because some hosted solutions provide subdomains for different users. This would allow users to attack each other's sites.
See: Same Origin Policy - AJAX & using Public APIs
You can maintain login between the two sub-domains by making sure that the login cookie is set on the root domain with subdomain access allowed. The sub-domains will be able to access the cookies of the root domain. See https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com for some examples.
I don't believe you can make ajax calls directly to another sub-domain. If the target sub-domain is cooperating and supports JSONP, you can do it that way (you end up inserting a script tag with a call to a script and that script calls you back with the data). Because the loading of scripts isn't subject to the same origin policy, you can work around it, but the target sub-domain has to be configured to allow and support JSONP.
Webpage A is embedded in an iframe inside of webpage B. A and B are on two different domains and therefore the same origin policy prevents A from accessing properties of B like so;
location = window.top.location.href // emits a "Permission denied" error
Is there any other way for A to get B's url?
No
If you have control over both domains, you can try a cross-domain scripting library like EasyXDM, which wrap cross-browser quirks and provide an easy-to-use API for communicating in client script between different domains using the best available mechanism for that browser (e.g. postMessage if available, other mechanisms if not).
Caveat: you need to have control over both domains in order to make it work (where "control" means you can place static files on both of them). But you don't need any server-side code changes.
In your case, you'd add javascript into one or both of your pages to look at the location.href, and you'd use the library to call from script in one page into script in the other.
Another Caveat: there are security implications here-- make sure you trust the other domain's script!