By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,285 Members | 2,124 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,285 IT Pros & Developers. It's quick & easy.

Need assistance reinventing the wheel.....

P: n/a
jim
I know it is stupid. I know browsers have this capability built in. I
know. I know. I know.

Still, is there a way to use javascript to enforce the same type of
cross-domain blocking that browsers implement, on pages from the same
server?

Let's say that I have several different pages on the same server - same
domain - but are authored by different people. I want to make sure that
one page cannot be used to see or manipulate another page on the same
server and domain - even if one page loads another in a frame.

Again, I know that this has been done in browsers for different domains.
My need is slightly different in that I want to prevent cross-page
scripting in the same domain on the same server without turning off
javascript completely.

Any help would be greatly appreciated.

jim
Oct 24 '08 #1
Share this Question
Share on Google+
2 Replies


P: n/a
On 2008-10-25 00:42, jim wrote:
Let's say that I have several different pages on the same server - same
domain - but are authored by different people. I want to make sure that
one page cannot be used to see or manipulate another page on the same
server and domain - even if one page loads another in a frame.
As far as I know, this isn't possible (unless you're using different
ports, or a different protocol). You can't use the browser to enforce
the separation, and a script that has total access to a document in
another frame can do whatever it wants there. Not even "private" values
in closures are safe.

You'll want to use different subdomains, at least. That will
automatically protect your scripts through the "same origin" policy in
(current) web browsers. Be careful how you set your cookies, though.
- Conrad
Oct 25 '08 #2

P: n/a
On Oct 24, 6:42 pm, jim <j...@home.netwrote:
I know it is stupid. I know browsers have this capability built in. I
know. I know. I know.

Still, is there a way to use javascript to enforce the same type of
cross-domain blocking that browsers implement, on pages from the same
server?
This is easily accomplished in an http handler for apache or IIS. If
it is possible at all with client side javascript, it would be a
kludge.

Bob
Oct 27 '08 #3

This discussion thread is closed

Replies have been disabled for this discussion.