{"id":34538,"date":"2023-03-22T12:46:38","date_gmt":"2023-03-22T07:16:38","guid":{"rendered":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/"},"modified":"2023-03-22T12:46:38","modified_gmt":"2023-03-22T07:16:38","slug":"solved-ways-to-circumvent-the-same-origin-policy","status":"publish","type":"post","link":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/","title":{"rendered":"[Solved] Ways to circumvent the same-origin policy"},"content":{"rendered":"<p> [ad_1]<br \/>\n<\/p>\n<div id=\"answer-3076648\" class=\"answer js-answer accepted-answer js-accepted-answer\" data-answerid=\"3076648\" data-parentid=\"3076414\" data-score=\"84\" data-position-on-page=\"1\" data-highest-scored=\"1\" data-question-has-accepted-highest-score=\"1\" itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n<div class=\"post-layout\">\n<div class=\"votecell post-layout--left\"><\/div>\n<div class=\"answercell post-layout--right\">\n<div class=\"s-prose js-post-body\" itemprop=\"text\">\n<h2>The <code>document.domain<\/code> method<\/h2>\n<ul>\n<li>Method type: <strong>iframe<\/strong>.<\/li>\n<\/ul>\n<p>Note that this is an iframe method that sets the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at <code>http:\/\/store.company.com\/dir\/other.html<\/code> executes the following statement:<\/p>\n<pre><code>document.domain = \"company.com\";\n<\/code><\/pre>\n<p>After that statement executes, the page would pass the origin check with <code>http:\/\/company.com\/dir\/page.html<\/code>. However, by the same reasoning, company.com could not set <code>document.domain<\/code>  to <code>othercompany.com<\/code>.<\/p>\n<p>With this method, you would be allowed to exectue javascript from an iframe sourced on a subdomain on a page sourced on the main domain. This method is not suited for cross-domain resources as browsers like Firefox will not allow you to change the <code>document.domain<\/code> to a completely alien domain.<\/p>\n<p>Source: <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/developer.mozilla.org\/en\/Same_origin_policy_for_JavaScript\">https:\/\/developer.mozilla.org\/en\/Same_origin_policy_for_JavaScript<\/a><\/p>\n<h2>The Cross-Origin Resource Sharing method<\/h2>\n<ul>\n<li>Method type: <strong>AJAX<\/strong>.<\/li>\n<\/ul>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/www.w3.org\/TR\/access-control\/\">Cross-Origin Resource Sharing<\/a> (CORS) is a W3C Working Draft that defines how the browser and server must communicate when accessing sources across origins. The basic idea behind CORS is to use custom HTTP headers to allow both the browser and the server to know enough about each other to determine if the request or response should succeed or fail.<\/p>\n<p>For a simple request, one that uses either <code>GET<\/code> or <code>POST<\/code> with no custom headers and whose body is <code>text\/plain<\/code>, the request is sent with an extra header called <code>Origin<\/code>. The Origin  header contains the origin (protocol, domain name, and port) of the requesting page so that the server can easily determine whether or not it should serve a response. An example <code>Origin<\/code> header might look like this:<\/p>\n<pre><code>Origin: http:\/\/www.stackoverflow.com\n<\/code><\/pre>\n<p>If the server decides that the request should be allowed, it sends a <code>Access-Control-Allow-Origin<\/code> header echoing back the same origin that was sent or <code>*<\/code> if it\u2019s a public resource. For example:<\/p>\n<pre><code>Access-Control-Allow-Origin: http:\/\/www.stackoverflow.com\n<\/code><\/pre>\n<p>If this header is missing, or the origins don\u2019t match, then the browser disallows the request. If all is well, then the browser processes the request. Note that neither the requests nor responses include cookie information.<\/p>\n<p>The Mozilla team suggests in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/hacks.mozilla.org\/2009\/07\/cross-site-xmlhttprequest-with-cors\/\">their post about CORS<\/a> that you should check for the existence of the <code>withCredentials<\/code>  property to determine if the browser supports CORS via XHR. You can then couple with the existence of the <code>XDomainRequest<\/code> object to cover all browsers:<\/p>\n<pre><code>function createCORSRequest(method, url){\n    var xhr = new XMLHttpRequest();\n    if (\"withCredentials\" in xhr){\n        xhr.open(method, url, true);\n    } else if (typeof XDomainRequest != \"undefined\"){\n        xhr = new XDomainRequest();\n        xhr.open(method, url);\n    } else {\n        xhr = null;\n    }\n    return xhr;\n}\n\nvar request = createCORSRequest(\"get\", \"http:\/\/www.stackoverflow.com\/\");\nif (request){\n    request.onload = function() {\n        \/\/ ...\n    };\n    request.onreadystatechange = handler;\n    request.send();\n}\n<\/code><\/pre>\n<p>Note that for the CORS method to work, you need to have access to any type of server header mechanic and can&#8217;t simply access any third-party resource.<\/p>\n<p>Source: <a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/www.nczonline.net\/blog\/2010\/05\/25\/cross-domain-ajax-with-cross-origin-resource-sharing\/\">http:\/\/www.nczonline.net\/blog\/2010\/05\/25\/cross-domain-ajax-with-cross-origin-resource-sharing\/<\/a><\/p>\n<h2>The <code>window.postMessage<\/code> method<\/h2>\n<ul>\n<li>Method type: <strong>iframe<\/strong>.<\/li>\n<\/ul>\n<p><code>window.postMessage<\/code>, when called, causes a <code>MessageEvent<\/code> to be dispatched at the target window when any pending script that must be executed completes (e.g. remaining event handlers if <code>window.postMessage<\/code> is called from an event handler, previously-set pending timeouts, etc.). The <code>MessageEvent<\/code> has the type message, a <code>data<\/code> property which is set to the string value of the first argument provided to <code>window.postMessage<\/code>, an <code>origin<\/code> property corresponding to the origin of the main document in the window calling <code>window.postMessage<\/code> at the time <code>window.postMessage<\/code> was called, and a <code>source<\/code> property which is the window from which <code>window.postMessage<\/code> is called.<\/p>\n<p>To use <code>window.postMessage<\/code>, an event listener must be attached:<\/p>\n<pre><code>    \/\/ Internet Explorer\n    window.attachEvent('onmessage',receiveMessage);\n\n    \/\/ Opera\/Mozilla\/Webkit\n    window.addEventListener(\"message\", receiveMessage, false);\n<\/code><\/pre>\n<p>And a <code>receiveMessage<\/code> function must be declared:<\/p>\n<pre><code>function receiveMessage(event)\n{\n    \/\/ do something with event.data;\n}\n<\/code><\/pre>\n<p>The off-site iframe must also send events properly via <code>postMessage<\/code>:<\/p>\n<pre><code>&lt;script&gt;window.parent.postMessage('foo','*')&lt;\/script&gt;\n<\/code><\/pre>\n<p>Any window may access this method on any other window, at any time, regardless of the location of the document in the window, to send it a message. Consequently, any event listener used to receive messages must  first check the identity of the sender of the message, using the origin  and possibly source properties. This cannot be understated: <strong>Failure to check the <code>origin<\/code> and possibly <code>source<\/code> properties enables cross-site scripting attacks.<\/strong><\/p>\n<p>Source: <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/developer.mozilla.org\/en\/DOM\/window.postMessage\">https:\/\/developer.mozilla.org\/en\/DOM\/window.postMessage<\/a><\/p>\n<\/p><\/div>\n<div class=\"mt24\"><\/div>\n<\/div>\n<p>            <span class=\"d-none\" itemprop=\"commentCount\">4<\/span> <\/p><\/div>\n<\/div>\n<p>[ad_2]<\/p>\n<p>solved Ways to circumvent the same-origin policy <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[ad_1] The document.domain method Method type: iframe. Note that this is an iframe method that sets the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http:\/\/store.company.com\/dir\/other.html executes the following statement: document.domain &#8230; <a title=\"[Solved] Ways to circumvent the same-origin policy\" class=\"read-more\" href=\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\" aria-label=\"More on [Solved] Ways to circumvent the same-origin policy\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320],"tags":[334,333,4642],"class_list":["post-34538","post","type-post","status-publish","format-standard","hentry","category-solved","tag-ajax","tag-javascript","tag-same-origin-policy"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>[Solved] Ways to circumvent the same-origin policy - JassWeb<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[Solved] Ways to circumvent the same-origin policy - JassWeb\" \/>\n<meta property=\"og:description\" content=\"[ad_1] The document.domain method Method type: iframe. Note that this is an iframe method that sets the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http:\/\/store.company.com\/dir\/other.html executes the following statement: document.domain ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\" \/>\n<meta property=\"og:site_name\" content=\"JassWeb\" \/>\n<meta property=\"article:published_time\" content=\"2023-03-22T07:16:38+00:00\" \/>\n<meta name=\"author\" content=\"Kirat\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kirat\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\"},\"author\":{\"name\":\"Kirat\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31\"},\"headline\":\"[Solved] Ways to circumvent the same-origin policy\",\"datePublished\":\"2023-03-22T07:16:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\"},\"wordCount\":619,\"publisher\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#organization\"},\"keywords\":[\"ajax\",\"javascript\",\"same-origin-policy\"],\"articleSection\":[\"Solved\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\",\"url\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\",\"name\":\"[Solved] Ways to circumvent the same-origin policy - JassWeb\",\"isPartOf\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#website\"},\"datePublished\":\"2023-03-22T07:16:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jassweb.com\/solved\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[Solved] Ways to circumvent the same-origin policy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jassweb.com\/solved\/#website\",\"url\":\"https:\/\/jassweb.com\/solved\/\",\"name\":\"JassWeb\",\"description\":\"Build High-quality Websites\",\"publisher\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jassweb.com\/solved\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jassweb.com\/solved\/#organization\",\"name\":\"Jass Web\",\"url\":\"https:\/\/jassweb.com\/solved\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png\",\"contentUrl\":\"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png\",\"width\":693,\"height\":132,\"caption\":\"Jass Web\"},\"image\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31\",\"name\":\"Kirat\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1775798750\",\"contentUrl\":\"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1775798750\",\"caption\":\"Kirat\"},\"sameAs\":[\"http:\/\/jassweb.com\"],\"url\":\"https:\/\/jassweb.com\/solved\/author\/jaspritsinghghumangmail-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[Solved] Ways to circumvent the same-origin policy - JassWeb","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/","og_locale":"en_US","og_type":"article","og_title":"[Solved] Ways to circumvent the same-origin policy - JassWeb","og_description":"[ad_1] The document.domain method Method type: iframe. Note that this is an iframe method that sets the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http:\/\/store.company.com\/dir\/other.html executes the following statement: document.domain ... Read more","og_url":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/","og_site_name":"JassWeb","article_published_time":"2023-03-22T07:16:38+00:00","author":"Kirat","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kirat","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/#article","isPartOf":{"@id":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/"},"author":{"name":"Kirat","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31"},"headline":"[Solved] Ways to circumvent the same-origin policy","datePublished":"2023-03-22T07:16:38+00:00","mainEntityOfPage":{"@id":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/"},"wordCount":619,"publisher":{"@id":"https:\/\/jassweb.com\/solved\/#organization"},"keywords":["ajax","javascript","same-origin-policy"],"articleSection":["Solved"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/","url":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/","name":"[Solved] Ways to circumvent the same-origin policy - JassWeb","isPartOf":{"@id":"https:\/\/jassweb.com\/solved\/#website"},"datePublished":"2023-03-22T07:16:38+00:00","breadcrumb":{"@id":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jassweb.com\/solved\/solved-ways-to-circumvent-the-same-origin-policy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jassweb.com\/solved\/"},{"@type":"ListItem","position":2,"name":"[Solved] Ways to circumvent the same-origin policy"}]},{"@type":"WebSite","@id":"https:\/\/jassweb.com\/solved\/#website","url":"https:\/\/jassweb.com\/solved\/","name":"JassWeb","description":"Build High-quality Websites","publisher":{"@id":"https:\/\/jassweb.com\/solved\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jassweb.com\/solved\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jassweb.com\/solved\/#organization","name":"Jass Web","url":"https:\/\/jassweb.com\/solved\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/","url":"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png","contentUrl":"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png","width":693,"height":132,"caption":"Jass Web"},"image":{"@id":"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31","name":"Kirat","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/person\/image\/","url":"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1775798750","contentUrl":"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1775798750","caption":"Kirat"},"sameAs":["http:\/\/jassweb.com"],"url":"https:\/\/jassweb.com\/solved\/author\/jaspritsinghghumangmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/posts\/34538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/comments?post=34538"}],"version-history":[{"count":0,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/posts\/34538\/revisions"}],"wp:attachment":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/media?parent=34538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/categories?post=34538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/tags?post=34538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}