What are the risks to sharing login to other subdomain websites through cookies? [duplicate]
This question is an exact duplicate of:
What are the risks of setting a cookie to have a more global scope? [duplicate]
1 answer
Category Archives: crossdomain
How to implement cross-domain, auto-login SSO without browser redirects for unlogged users?
I need to implement an SSO solution with the following requirements:
Cross-domain: Let’s assume I have a.com, b.com and sso.com. If I become logged in through a.com, I shouldn’t need to login when I visit b.com.
Centralized… Continue reading How to implement cross-domain, auto-login SSO without browser redirects for unlogged users?
what prevents sending "$.post" from one domain to another?
I have one website in chromium tab, and an other website in another tab,
Im executing single post command in the second website – $.post(…); to the first website.
Originaly its not working (getting: “No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘null’ is therefore not allowed access”) ,but if runing chromium with “–disable-web-security –user-data-dir=~/.chrome-tmp ” flags it will send the post.
the question is, what exactly changed so after putting those flags the post is sent ?
I first thought that it disabled “same origin policy” but after some reading it seems like it has nothing to do with it.
Continue reading what prevents sending "$.post" from one domain to another?
Setting Access-Control-Allow-Origin: * when session identifiers are injected in the HTTP headers
Is it considered as secure for an application to set a header access-control-allow-origin: * if during the normal usage of the application, the client credentials are injected in the headers by the JS code? E.g.:
GET /applic… Continue reading Setting Access-Control-Allow-Origin: * when session identifiers are injected in the HTTP headers
No Preflight Request is made during XHR cross-origin request
I made a XHR cross-origin request from a html file, hosted on a python Simple HTTP Server.
var xhr = new XMLHttpRequest();
xhr.open(“GET”, “https://www.facebook.com/favicon.ico”, true);
xhr.withCredentials = true;
xhr.onload… Continue reading No Preflight Request is made during XHR cross-origin request
Is a Kerberos ticket valid with only one-way external trust between domains?
The situation is that I have two domains (Domain A and Domain B) that live on separate networks. I need to allow users in B to be authenticated with integrated windows authentication (IWA) when they hit a web app deployed on … Continue reading Is a Kerberos ticket valid with only one-way external trust between domains?
Secure crossdomain for rtmp/flash streaming/wowza
I’ve been a bit lost. I have the following situation:
Flash Player file is on https://sub.example.com/player.swf
crossdomain.xml is on https://sub2.example.com/crossdomain.xml
Streaming is done using Wowza.
The crossdomai… Continue reading Secure crossdomain for rtmp/flash streaming/wowza
How does CORS prevent XSS?
I recently learned about CORS and got the impression that its purpose is to prevent XSS. With CORS, the browser blocks requests to different domains, unless particular headers are in place.
But if a person with malicious intent injects so… Continue reading How does CORS prevent XSS?
Is CORS helping in anyway against Cross-Site Forgery?
I’ve been reading in the last couple of days about CORS and in a lot of places it’s mentioned as it is a “Security” feature to help the world from cross domain forgery.
I still don’t see the benefit and the reasoning for CORS. Ok, browse… Continue reading Is CORS helping in anyway against Cross-Site Forgery?
Can a website make an HTTP request to "localhost"? How does it get around the cross-domain policy?
I found this website which talks about fixing a Redis vulnerability by exploiting that same vulnerability.
The website in question has a “patch me” button, and if you have a password-less Redis server running on your machine, it will patc… Continue reading Can a website make an HTTP request to "localhost"? How does it get around the cross-domain policy?