SlideShare a Scribd company logo
Breaking The Cross Domain Barrier Alex Sexton
A Story... AJAX is so nifty! We can do anything! FML :(
Same Origin Policy Applies to XMLHTTPRequests Stops hackers from getting our data!
Same Origin Policy It’s actually an important rule. You wouldn’t want to have this happen:
Same Origin Policy It’s actually an important rule. You wouldn’t want to have this happen:
YEA BUT WHAT IF... I own both sites and I just want to make them talk? The site I want information from says it’s okay? I don’t give a shit?!
The Solution Post Message.
THE END. kthnxbai.
<RecordScratch.wav> Browser Vendors have realized that there is a need for cross domain messaging. IE6 ruins your life again and again. There is not a single solution that solves every problem in every browser :(
Some Options postMessage JSONP CORS document.domain mods window.name Transport Server-Side Proxy CRAZY IFRAME STUFF MOAR
Post Message Just pass messages between window objects! It’s safe(ish) because both pages have to know about it.
Post Message Handle the message event in the otherWindow
Post Message Passing events along from one window to the other Initializing the state of a new window Synchronizing two pages Most things, but it’s not always practical What’s it good for?
Post Message Works In... FF3+ IE8+ Chrome 1+ Safari 4+ Kind of in Opera for a while but it’s a little different but good enough probably so we’ll count it
JSONP JavaScript Object Notation with Padding.  (dumb I know)
JSONEN JavaScript Object Notation Except Not **Formerly JSONP
JSON A standard (mostly) created by the Crock. A subset of JavaScript with some extra rules Non-Executable - just for data
JSONP JavaScript...
JSONP - Why it’s special The ‘P’ <script> tags are not subject to the Same Origin Policy  (A  total  security flaw that will never change)
How JSONP Works Step 1: You create a callback function that accepts some data
How JSONP Works Step 2: Include a script with a hint of what your function is called. hint-hint
How JSONP Works Step 3: Output a script that calls the function and passes in the necessary data.
JSONP Is Good For... Data Passing RESTful APIs 1-(way/time)-ish cross domain communication Hacking
CORS | Tap the Rockies Cross-Origin Resource Sharing  (CORS) is a W3C Working Draft that defines how the browser and server must communicate when accessing sources across origins.
CORS - HOW?
CORS - HOW? Use it or lose it
CORS - From the Server... CORS sends along an extra header: Your server must send back another, saying it’s ok:
CORS - Compatibility IE 8+ (most of it, at least) FF 3.5+ Safari 4+ Chrome Unrelated Graph
CORS - What’s it Good For? Not working on 40% of the internet Creating an extra http request (usually only once) Custom grouping options Finer grain control over what’s accessible  Access-Control-Allow-Credentials: true Straight Up. Cross Domain XHR  (yay!)
Document.domain Hackz Good for allowing Cross  Sub domain window access Now the subdomain has the same permissions for access Can be very useful even if you don’t own the site, because subdomains can be cnamed to totally different webservers Works in all relevant browsers
Window.name HI! I’m Jerry the Window!
Window.name Superhacky but safer than jsonp! Works everywhere relevant **This is obviously a little simplified Added to Dojo  2 years ago: http://bugs.dojotoolkit.org/ticket/6893
Server Side Proxies Pretty simple concept, only slightly more difficult to implement mySite yourSite myServer http://benalman.com/projects/php-simple-proxy/ Works everywhere XHR does
Crazy iFrame Hacks A parent window can’t  read  just about anything from a child window (iframe) that is on a different domain. A parent window can traverse any known elements in an iframe though. A parent window can  set  properties on the iframe. FACTS
Crazy iFrame Hacks A window can read and write properties of an iframe if it’s on the same domain - EVEN IF it’s inside of another iframe that isn’t on the same domain! a.com b.com a.com
Crazy iFrame Hacks If B wants to talk to A a.com b.com a.com Change the url hash on the innermost iframe to the message /#secret
Crazy iFrame Hacks If B wants to talk to A a.com b.com a.com Have the top level frame read the message on the hash /#secret
Crazy iFrame Hacks Poll for hashchange the entire time Set up iframes to destroy themselves after each message and just wait for the load event Resize the iframe on change, then attach an event handler on the resize event that checks for new data How to know when to receive data Fast (where it works)
Crazy iFrame Hacks Works at varying levels of success via some slightly different methods in all relevant browsers Unfortunately often our best choice for something that works everywhere
Best of both worlds? EasyXDM A library that will use postMessage first and then a series of  different techniques based on which browser you use, but with normalized syntax. http://easyxdm.net/
Best of Both Worlds? flXHR / Flash  + your own fallback http://flxhr.flensed.com/
What about cookies? Cookies are insanely easy to  steal , err.. I mean share, across domains with these techniques. With the exception of Safari, cookies are passed from the server along with script includes and iframe injection. (You might need some P3P headers in IE)
What about cookies in Safari? Safari doesn’t send cookies along in scripts and iframes, so there’s nothing to send to the parent. Unless you ask nicely...
What about cookies in Safari? If we post to an iframe it will thank us by sending cookies http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/
Why Cookies? If I had a network of sites that I wanted to track you across, it would be easy for me maintain a central cookie and check for it on every site that you enter that contains my code. (<cough>advertisers</cough>) TotallyNotTrackingYou.com Other Sites Holds your unique cookie
Lessons With great cross domain communication techniques come great cross domain security holes Safe and FUN cross-domain communication is possible Paul Irish  hates  cold-cuts  , seriously
Thanks! Alex Sexton AlexSexton [at] gmail [dot] com @SlexAxton http://yayQuery.com Special Thanks to : yayQuery Peeps, BazaarVoice, Aaron Dixon, Shawn Smith, EasyXDM, flXHR, Mozilla MDC

More Related Content

What's hot

Firestore: The Basics
Firestore: The BasicsFirestore: The Basics
Firestore: The Basics
Jielynn Diroy
 
Apache Ambari: Past, Present, Future
Apache Ambari: Past, Present, FutureApache Ambari: Past, Present, Future
Apache Ambari: Past, Present, Future
Hortonworks
 
Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup)
Roopa Tangirala
 
Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023
Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023
Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023
Steve Pember
 
Making the big data ecosystem work together with python apache arrow, spark,...
Making the big data ecosystem work together with python  apache arrow, spark,...Making the big data ecosystem work together with python  apache arrow, spark,...
Making the big data ecosystem work together with python apache arrow, spark,...
Holden Karau
 
EVOLVE'13 | Keynote | Roy Fielding
EVOLVE'13 | Keynote | Roy FieldingEVOLVE'13 | Keynote | Roy Fielding
EVOLVE'13 | Keynote | Roy Fielding
Evolve The Adobe Digital Marketing Community
 
이것이 레디스다.
이것이 레디스다.이것이 레디스다.
이것이 레디스다.
Kris Jeong
 
Hive User Meeting August 2009 Facebook
Hive User Meeting August 2009 FacebookHive User Meeting August 2009 Facebook
Hive User Meeting August 2009 Facebook
ragho
 
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the CloudAmazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
Noritaka Sekiyama
 
Reporting Large Environment Zabbix Database
Reporting Large Environment Zabbix DatabaseReporting Large Environment Zabbix Database
Reporting Large Environment Zabbix Database
Alain Ganuchaud
 
Introduction to Firebase from Google
Introduction to Firebase from GoogleIntroduction to Firebase from Google
Introduction to Firebase from Google
Manikantan Krishnamurthy
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco Repository
Jeff Potts
 
CI CD Jenkins for Swift Deployment
CI CD Jenkins for Swift DeploymentCI CD Jenkins for Swift Deployment
CI CD Jenkins for Swift Deployment
Bintang Thunder
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Giuseppe Paterno'
 
Moving From Actions & Behaviors to Microservices
Moving From Actions & Behaviors to MicroservicesMoving From Actions & Behaviors to Microservices
Moving From Actions & Behaviors to Microservices
Jeff Potts
 
Architecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopArchitecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash Workshop
Sudhir Tonse
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with Janus
Lorenzo Miniero
 
Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018
Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018
Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018
Amazon Web Services
 
PostgreSQL + ZFS best practices
PostgreSQL + ZFS best practicesPostgreSQL + ZFS best practices
PostgreSQL + ZFS best practices
Sean Chittenden
 
EDB Failover Manager - Features and Demo
EDB Failover Manager - Features and DemoEDB Failover Manager - Features and Demo
EDB Failover Manager - Features and Demo
EDB
 

What's hot (20)

Firestore: The Basics
Firestore: The BasicsFirestore: The Basics
Firestore: The Basics
 
Apache Ambari: Past, Present, Future
Apache Ambari: Past, Present, FutureApache Ambari: Past, Present, Future
Apache Ambari: Past, Present, Future
 
Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup)
 
Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023
Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023
Anatomy of a Spring Boot App with Clean Architecture - Spring I/O 2023
 
Making the big data ecosystem work together with python apache arrow, spark,...
Making the big data ecosystem work together with python  apache arrow, spark,...Making the big data ecosystem work together with python  apache arrow, spark,...
Making the big data ecosystem work together with python apache arrow, spark,...
 
EVOLVE'13 | Keynote | Roy Fielding
EVOLVE'13 | Keynote | Roy FieldingEVOLVE'13 | Keynote | Roy Fielding
EVOLVE'13 | Keynote | Roy Fielding
 
이것이 레디스다.
이것이 레디스다.이것이 레디스다.
이것이 레디스다.
 
Hive User Meeting August 2009 Facebook
Hive User Meeting August 2009 FacebookHive User Meeting August 2009 Facebook
Hive User Meeting August 2009 Facebook
 
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the CloudAmazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
Amazon S3 Best Practice and Tuning for Hadoop/Spark in the Cloud
 
Reporting Large Environment Zabbix Database
Reporting Large Environment Zabbix DatabaseReporting Large Environment Zabbix Database
Reporting Large Environment Zabbix Database
 
Introduction to Firebase from Google
Introduction to Firebase from GoogleIntroduction to Firebase from Google
Introduction to Firebase from Google
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco Repository
 
CI CD Jenkins for Swift Deployment
CI CD Jenkins for Swift DeploymentCI CD Jenkins for Swift Deployment
CI CD Jenkins for Swift Deployment
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Moving From Actions & Behaviors to Microservices
Moving From Actions & Behaviors to MicroservicesMoving From Actions & Behaviors to Microservices
Moving From Actions & Behaviors to Microservices
 
Architecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopArchitecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash Workshop
 
Scaling WebRTC applications with Janus
Scaling WebRTC applications with JanusScaling WebRTC applications with Janus
Scaling WebRTC applications with Janus
 
Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018
Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018
Building Serverless ETL Pipelines with AWS Glue - AWS Summit Sydney 2018
 
PostgreSQL + ZFS best practices
PostgreSQL + ZFS best practicesPostgreSQL + ZFS best practices
PostgreSQL + ZFS best practices
 
EDB Failover Manager - Features and Demo
EDB Failover Manager - Features and DemoEDB Failover Manager - Features and Demo
EDB Failover Manager - Features and Demo
 

Viewers also liked

Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORS
Michael Neale
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORS
Jared Ottley
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programming
benvinegar
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
Vladimir Dzhuvinov
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
n|u - The Open Security Community
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
Bharat Khatri
 
Stop-Loss - как это работает
Stop-Loss - как это работаетStop-Loss - как это работает
Stop-Loss - как это работает
Sergey Boronin
 
Cross domain knowledge discovery, complex system theory and semantic web
Cross domain knowledge discovery, complex system theory and semantic webCross domain knowledge discovery, complex system theory and semantic web
Cross domain knowledge discovery, complex system theory and semantic web
Andrea Scharnhorst
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
Google guava - almost everything you need to know
Google guava - almost everything you need to knowGoogle guava - almost everything you need to know
Google guava - almost everything you need to know
Tomasz Dziurko
 
Cookie testing
Cookie testingCookie testing
Cookie testing
BugRaptors
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
Michele Orru
 
iOS WebView App
iOS WebView AppiOS WebView App
iOS WebView App
hagino 3000
 
Integral Ad Science Viewability Presentation
Integral Ad Science Viewability PresentationIntegral Ad Science Viewability Presentation
Integral Ad Science Viewability Presentation
Integral Ad Science
 
JavaScript Avanzado
JavaScript AvanzadoJavaScript Avanzado
JavaScript Avanzado
Adolfo Sanz De Diego
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontend
Sergey Belov
 
Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)
Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)
Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)
Fabien Grenet
 
How to start a Startup - Sam Altman
How to start a Startup - Sam AltmanHow to start a Startup - Sam Altman
How to start a Startup - Sam Altman
Mads Holmen
 

Viewers also liked (20)

Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORS
 
CORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORSCORS - Enable Alfresco for CORS
CORS - Enable Alfresco for CORS
 
Modern iframe programming
Modern iframe programmingModern iframe programming
Modern iframe programming
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORS
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Machine Learning
Machine LearningMachine Learning
Machine Learning
 
Stop-Loss - как это работает
Stop-Loss - как это работаетStop-Loss - как это работает
Stop-Loss - как это работает
 
Cross domain knowledge discovery, complex system theory and semantic web
Cross domain knowledge discovery, complex system theory and semantic webCross domain knowledge discovery, complex system theory and semantic web
Cross domain knowledge discovery, complex system theory and semantic web
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Google guava - almost everything you need to know
Google guava - almost everything you need to knowGoogle guava - almost everything you need to know
Google guava - almost everything you need to know
 
Cookie testing
Cookie testingCookie testing
Cookie testing
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
iOS WebView App
iOS WebView AppiOS WebView App
iOS WebView App
 
Integral Ad Science Viewability Presentation
Integral Ad Science Viewability PresentationIntegral Ad Science Viewability Presentation
Integral Ad Science Viewability Presentation
 
JavaScript Avanzado
JavaScript AvanzadoJavaScript Avanzado
JavaScript Avanzado
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontend
 
Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)
Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)
Y Combinator Startup Class #1 : Ideas, Products, Teams and Execution (Part 1)
 
How to start a Startup - Sam Altman
How to start a Startup - Sam AltmanHow to start a Startup - Sam Altman
How to start a Startup - Sam Altman
 

Similar to Breaking The Cross Domain Barrier

Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
royans
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
kuza55
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
Krishna T
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
guest2821a2
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
Nahidul Kibria
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
Paul Tarjan
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
kosborn
 
Real-Time with Flowdock
Real-Time with FlowdockReal-Time with Flowdock
Real-Time with Flowdock
Flowdock
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
EC-Council
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
Felipe Prado
 
Bringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersBringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkers
Corey Clark, Ph.D.
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
Itzik Kotler
 
Transforming WebSockets
Transforming WebSocketsTransforming WebSockets
Transforming WebSockets
Arnout Kazemier
 
Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09
funkatron
 
Web technologies lesson 1
Web technologies   lesson 1Web technologies   lesson 1
Web technologies lesson 1
nhepner
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
Michele Orru
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
d0nn9n
 
Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web development
Stevie T
 
All of Javascript
All of JavascriptAll of Javascript
All of Javascript
Togakangaroo
 

Similar to Breaking The Cross Domain Barrier (20)

Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
Real-Time with Flowdock
Real-Time with FlowdockReal-Time with Flowdock
Real-Time with Flowdock
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
Bringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkersBringing The Sexy Back To WebWorkers
Bringing The Sexy Back To WebWorkers
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 
Transforming WebSockets
Transforming WebSocketsTransforming WebSockets
Transforming WebSockets
 
Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09Building Desktop RIAs with JavaScript and PHP - ZendCon09
Building Desktop RIAs with JavaScript and PHP - ZendCon09
 
Web technologies lesson 1
Web technologies   lesson 1Web technologies   lesson 1
Web technologies lesson 1
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orru
 
Douglas - Real JavaScript
Douglas - Real JavaScriptDouglas - Real JavaScript
Douglas - Real JavaScript
 
Intro to advanced web development
Intro to advanced web developmentIntro to advanced web development
Intro to advanced web development
 
All of Javascript
All of JavascriptAll of Javascript
All of Javascript
 

Recently uploaded

TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 

Recently uploaded (20)

TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 

Breaking The Cross Domain Barrier

  • 1. Breaking The Cross Domain Barrier Alex Sexton
  • 2. A Story... AJAX is so nifty! We can do anything! FML :(
  • 3. Same Origin Policy Applies to XMLHTTPRequests Stops hackers from getting our data!
  • 4. Same Origin Policy It’s actually an important rule. You wouldn’t want to have this happen:
  • 5. Same Origin Policy It’s actually an important rule. You wouldn’t want to have this happen:
  • 6. YEA BUT WHAT IF... I own both sites and I just want to make them talk? The site I want information from says it’s okay? I don’t give a shit?!
  • 7. The Solution Post Message.
  • 9. <RecordScratch.wav> Browser Vendors have realized that there is a need for cross domain messaging. IE6 ruins your life again and again. There is not a single solution that solves every problem in every browser :(
  • 10. Some Options postMessage JSONP CORS document.domain mods window.name Transport Server-Side Proxy CRAZY IFRAME STUFF MOAR
  • 11. Post Message Just pass messages between window objects! It’s safe(ish) because both pages have to know about it.
  • 12. Post Message Handle the message event in the otherWindow
  • 13. Post Message Passing events along from one window to the other Initializing the state of a new window Synchronizing two pages Most things, but it’s not always practical What’s it good for?
  • 14. Post Message Works In... FF3+ IE8+ Chrome 1+ Safari 4+ Kind of in Opera for a while but it’s a little different but good enough probably so we’ll count it
  • 15. JSONP JavaScript Object Notation with Padding. (dumb I know)
  • 16. JSONEN JavaScript Object Notation Except Not **Formerly JSONP
  • 17. JSON A standard (mostly) created by the Crock. A subset of JavaScript with some extra rules Non-Executable - just for data
  • 19. JSONP - Why it’s special The ‘P’ <script> tags are not subject to the Same Origin Policy (A total security flaw that will never change)
  • 20. How JSONP Works Step 1: You create a callback function that accepts some data
  • 21. How JSONP Works Step 2: Include a script with a hint of what your function is called. hint-hint
  • 22. How JSONP Works Step 3: Output a script that calls the function and passes in the necessary data.
  • 23. JSONP Is Good For... Data Passing RESTful APIs 1-(way/time)-ish cross domain communication Hacking
  • 24. CORS | Tap the Rockies Cross-Origin Resource Sharing (CORS) is a W3C Working Draft that defines how the browser and server must communicate when accessing sources across origins.
  • 26. CORS - HOW? Use it or lose it
  • 27. CORS - From the Server... CORS sends along an extra header: Your server must send back another, saying it’s ok:
  • 28. CORS - Compatibility IE 8+ (most of it, at least) FF 3.5+ Safari 4+ Chrome Unrelated Graph
  • 29. CORS - What’s it Good For? Not working on 40% of the internet Creating an extra http request (usually only once) Custom grouping options Finer grain control over what’s accessible Access-Control-Allow-Credentials: true Straight Up. Cross Domain XHR (yay!)
  • 30. Document.domain Hackz Good for allowing Cross Sub domain window access Now the subdomain has the same permissions for access Can be very useful even if you don’t own the site, because subdomains can be cnamed to totally different webservers Works in all relevant browsers
  • 31. Window.name HI! I’m Jerry the Window!
  • 32. Window.name Superhacky but safer than jsonp! Works everywhere relevant **This is obviously a little simplified Added to Dojo 2 years ago: http://bugs.dojotoolkit.org/ticket/6893
  • 33. Server Side Proxies Pretty simple concept, only slightly more difficult to implement mySite yourSite myServer http://benalman.com/projects/php-simple-proxy/ Works everywhere XHR does
  • 34. Crazy iFrame Hacks A parent window can’t read just about anything from a child window (iframe) that is on a different domain. A parent window can traverse any known elements in an iframe though. A parent window can set properties on the iframe. FACTS
  • 35. Crazy iFrame Hacks A window can read and write properties of an iframe if it’s on the same domain - EVEN IF it’s inside of another iframe that isn’t on the same domain! a.com b.com a.com
  • 36. Crazy iFrame Hacks If B wants to talk to A a.com b.com a.com Change the url hash on the innermost iframe to the message /#secret
  • 37. Crazy iFrame Hacks If B wants to talk to A a.com b.com a.com Have the top level frame read the message on the hash /#secret
  • 38. Crazy iFrame Hacks Poll for hashchange the entire time Set up iframes to destroy themselves after each message and just wait for the load event Resize the iframe on change, then attach an event handler on the resize event that checks for new data How to know when to receive data Fast (where it works)
  • 39. Crazy iFrame Hacks Works at varying levels of success via some slightly different methods in all relevant browsers Unfortunately often our best choice for something that works everywhere
  • 40. Best of both worlds? EasyXDM A library that will use postMessage first and then a series of different techniques based on which browser you use, but with normalized syntax. http://easyxdm.net/
  • 41. Best of Both Worlds? flXHR / Flash + your own fallback http://flxhr.flensed.com/
  • 42. What about cookies? Cookies are insanely easy to steal , err.. I mean share, across domains with these techniques. With the exception of Safari, cookies are passed from the server along with script includes and iframe injection. (You might need some P3P headers in IE)
  • 43. What about cookies in Safari? Safari doesn’t send cookies along in scripts and iframes, so there’s nothing to send to the parent. Unless you ask nicely...
  • 44. What about cookies in Safari? If we post to an iframe it will thank us by sending cookies http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/
  • 45. Why Cookies? If I had a network of sites that I wanted to track you across, it would be easy for me maintain a central cookie and check for it on every site that you enter that contains my code. (<cough>advertisers</cough>) TotallyNotTrackingYou.com Other Sites Holds your unique cookie
  • 46. Lessons With great cross domain communication techniques come great cross domain security holes Safe and FUN cross-domain communication is possible Paul Irish hates cold-cuts , seriously
  • 47. Thanks! Alex Sexton AlexSexton [at] gmail [dot] com @SlexAxton http://yayQuery.com Special Thanks to : yayQuery Peeps, BazaarVoice, Aaron Dixon, Shawn Smith, EasyXDM, flXHR, Mozilla MDC