Comments on: Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF

by: Rich Dougherty

Sun, 08 Mar 2009 22:18:00 +0000

Jon, the Google Analytics script passes data back to Google by loading 1px images with specially-crafted URLs. Images, stylesheets and scripts can be loaded from any other site into the current page. However XMLHttpRequests and inter-frame communication is limited by security policy.

by: James

Sun, 01 Mar 2009 13:34:00 +0000

Thanks for this, a very interesting read. I already knew about the same-origin policy but this has really cleared up a couple of misconceptions I had.

by: Jon

Mon, 05 Jan 2009 21:19:00 +0000

How does Google Analytics not violate the Same Origin Policy?

Doesn’t Analytics make a call back to Google? Wouldn’t this violate the policy?

by: Gaurav

Sat, 15 Nov 2008 23:24:00 +0000

so basically same origin policy applies only when a script tries to issue an XMLHttpRequest and not when access is through standard protocols like HTTP?

by: Soren Werk

Thu, 11 Sep 2008 13:00:00 +0000

Where can I read about legitimate use of XSS?

How do I go about accessing the properties of an iframe (f.ex. height) from the document inside the iframe - when the two documents come from different sub-domains of the same domain?

F.ex.:http://www.mysite.com/page_with_iframe.html http://application.mysite.com/content_inside_iframe.html

I want the content document to set the height of the iframe in the main page like this:

document.domain = “mysite.com”;

parent.document.getElementById(’main_iframe’).height = document.body.scrollHeight;

by: xSS-ErrOr

Tue, 02 Sep 2008 11:39:00 +0000

If you would want to use an Editor (you do not want, I understood it and I understand why), I would recommend using the editor MarkitUp! it offers great features (you can tab right out of the generated markup for example, just write what should be inside and press tab).

It is very user friendly, easy to understand and dosn’t do any pseudo WYSIWYG shit.

And you can use it for whichever markup lang you want.

by: Chris

Fri, 01 Aug 2008 00:54:00 +0000

Thanks for the post, very useful stuff

by: Austin

Fri, 21 Mar 2008 18:20:00 +0000

thanks for the posting. It helped me clarify these concepts very well.

by: justin

Sat, 07 Apr 2007 20:28:00 +0000

Thanks, and we just do normal copyright at the moment. So, if you quote us in part just give a citation and a link back.

by: Pathetic Whitehat

Fri, 06 Apr 2007 22:33:00 +0000

Thank you for writing this. Under what license is this content?