same origin policy – Page 5

Can JavaScript from different origins communicate securely

Posted on September 24, 2019 by bblfish

I want to know if there is a way for JS from one Origin to delegate a task to JS from another origin in a secure way.

The use case is to have a JS Agent from the users’ home origin use the JavaScript Web Crypto API, to save… Continue reading Can JavaScript from different origins communicate securely→

Preventing Quota Theft of Embedded Service without API Key

Posted on September 21, 2019 by Hudson

The way the service works is that the user can embed content on their site, that is served from my servers. Usage is tracked in “views”, or how many times the src endpoint inside of the <iframe> has been called.

I am t… Continue reading Preventing Quota Theft of Embedded Service without API Key→

Who can access the X-CSRF token?

Posted on September 8, 2019 by phantasos

I’m really confused about a CSRF token implementation in a Spring web app that I’ve inherited.
Basically, everyone can request the token by looking at what Spring Security filters do:

http
.exceptionHandling(… Continue reading Who can access the X-CSRF token?→

Difficulty understanding SOP and CSRF

Posted on September 7, 2019 by Sumanto Dinar

As said here, a CSRF attack has little to do with SOP. However, on the OWASP CSRF page it is said that

Fortunately, this request will not be executed by modern web browsers thanks to same-origin policy restrictions. This … Continue reading Difficulty understanding SOP and CSRF→

Why are web font resource requests not no-cors?

Posted on July 18, 2019 by Adam Williams

CSS, JS, images etc are all fetched as no-cors. What’s different about web fonts?

Per the spec:

For font loads, user agents must use the potentially CORS-enabled fetch method defined by the [FETCH] specification for URL’… Continue reading Why are web font resource requests not no-cors?→

17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device

Posted on July 3, 2019 by Swati Khandelwal

Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on … Continue reading 17-Year-Old Weakness in Firefox Let HTML File Steal Other Files From Device→

Are subdomains secure from one another if they are on separate servers?

Posted on June 23, 2019 by Sahil

I’m writing an application (example.com) that gives users their own sub-domains to run arbitrary user applications off of (user.example.com).

Each user application will be run on separate servers with distinct domains, and m… Continue reading Are subdomains secure from one another if they are on separate servers?→

How can I forward SaaS calls from the client to the third-party service?

Posted on June 2, 2019 by Joshua Fox

In the browser (e.g., for mysite.com) there is Javascript for third-party services, say somesaas.com. Let’s say that I rewrite the Javascript so that it calls https://proxy.mysite.com instead of https://somesaas.com. Then t… Continue reading How can I forward SaaS calls from the client to the third-party service?→

How can the Same Origin Policy protect the user in times of CORS headers?

Posted on May 22, 2019 by Hakim

How can the Same origin policy protect something if you can bypass it via Cross Origin Resource Sharing headers? And why are those assigned by the server which is tried to access and not by the user?

Where is the risk of a C… Continue reading How can the Same Origin Policy protect the user in times of CORS headers?→

CORS Anywhere to bypass CSRF protection

Posted on March 16, 2019 by user11177344

CORS Anywhere helps with accessing data from other websites that is normally forbidden by the Same origin policy of Web browsers.

Can CORS Anywhere be used to bypass CSRF protection?

Reason to ask the question here:

Si… Continue reading CORS Anywhere to bypass CSRF protection→