same origin policy – Page 9

what prevents sending "$.post" from one domain to another?

Posted on July 12, 2017 by

I have one website in chromium tab, and an other website in another tab,
Im executing single post command in the second website – $.post(…); to the first website.
Originaly its not working (getting: “No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘null’ is therefore not allowed access”) ,but if runing chromium with “–disable-web-security –user-data-dir=~/.chrome-tmp ” flags it will send the post.
the question is, what exactly changed so after putting those flags the post is sent ?
I first thought that it disabled “same origin policy” but after some reading it seems like it has nothing to do with it.

Continue reading what prevents sending "$.post" from one domain to another?→

Crossdomain.xml – write access to domain

Posted on June 10, 2017 by SilverlightFox

Is a permissive crossdomain.xml Flash policy analogous to a permissive CORS policy?

i.e. Is

<cross-domain-policy> <allow-access-from domain=”*” /> </cross-domain-policy>

the equivalent of

Access-Contro… Continue reading Crossdomain.xml – write access to domain→

CSRF not working over CORS proxy

Posted on May 19, 2017 by megalucio

I’m consuming OData services from JQuery and running into a typical scenario of Same Origin Policy. I do not have control over the server and therefore I can not implement CORS so the only thing I can do is to use a proxy in … Continue reading CSRF not working over CORS proxy→

Impact of websockets origin header [duplicate]

Posted on April 24, 2017 by mohammad obaid

This question already has an answer here:

Is the Origin header really useful for securing a WebSocket?

2 answers

If websi… Continue reading Impact of websockets origin header [duplicate]→

Impact of websockets origin header [duplicate]

Posted on April 24, 2017 by mohammad obaid

This question already has an answer here:

Is the Origin header really useful for securing a WebSocket?

2 answers

If websi… Continue reading Impact of websockets origin header [duplicate]→

Setting Access-Control-Allow-Origin: * when session identifiers are injected in the HTTP headers

Posted on April 11, 2017 by christophetd

Is it considered as secure for an application to set a header access-control-allow-origin: * if during the normal usage of the application, the client credentials are injected in the headers by the JS code? E.g.:

GET /applic… Continue reading Setting Access-Control-Allow-Origin: * when session identifiers are injected in the HTTP headers→

How does CSRF correlate with Same Origin Policy

Posted on April 10, 2017 by user1217974

I’m trying to understand what roles do CSRF and same origin play in the grand scheme of things. With CSRF, I’m able to pretty much do anything on other websites on clients by making requests.Same Origin Policy (SOP) preserves the data of o… Continue reading How does CSRF correlate with Same Origin Policy→

How is the lack of the "SameSite" cookie flag a risk?

Posted on March 16, 2017 by Kevin Morssink

Nowadays cookies can have HTTPOnly, Secure and SameSite flags. The purposes of HTTPOnly and Secure flags are pretty clear. But what does SameSite scripting prevent exactly and how?

Additionally, how would a scenario of successful “attacki… Continue reading How is the lack of the "SameSite" cookie flag a risk?→

XSS security concerns from untrusted parent domains

Posted on March 7, 2017 by Tim Perry

There’s lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around?

If my content is hosted at subdomain.example.com, what … Continue reading XSS security concerns from untrusted parent domains→

XSS security concerns from untrusted parent domains

Posted on March 7, 2017 by Tim Perry

There’s lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around?

If my content is hosted at subdomain.exam… Continue reading XSS security concerns from untrusted parent domains→