SlideShare a Scribd company logo

Cross-Domain Communication Methods in JavaScript

ChenKuo Chen
ChenKuo Chen

This document discusses methods for enabling cross-domain communication in JavaScript. It begins by explaining the need for cross-domain communication to access third-party APIs and the browser's same-origin policy security restriction. It then describes several approaches for implementing cross-domain communication including using iframes, the postMessage API for cross-window messaging, server-side proxies, JSONP, and the CORS HTTP header for enabling cross-origin requests directly in JavaScript.

Software
1 of 28
Download to read offline
Javascript Cross-Domain Communication NIT-Jasper
Outline ● Why we need cross-domain communication? ● Same origin policy. ● Cross-domain methods ○ JS to JS ■ Iframe ■ postmessage ○ JS to Server side ■ Server side proxy ■ jsonp ■ HTTP cross domain header - CORS
Why We Need Cross-Domain Communication? ● Third party API ○ JS API ■ ex: Facebook SDK ○ Server side API ■ ex: Flickr API
Same Origin Policy ● Browser restricts how a document/script interact with one from another origin. ○ Security concerns: ■ like CSRF attack. ○ Some cross-origin resources are allowed: ■ stylesheets ■ script ■ frame/iframe(can be disabled by X-Frame-Options) ○ For XMLHttpRequest(Ajax): ■ Url which Ajax called must be in the same origin in current page.
Same Origin Policy Ajax:
Same Origin Policy Ajax:
Same Origin Policy ● Origin example: URL Outcome Reason http://store.company.com/dir2/other.html http://store.company.com/dir/inner/another.html same origin https://store.company.com/secure.html different origin protocol http://store.company.com:81/dir/etc.html different origin port http://news.company.com/dir/other.html different origin url
Cross-Domain Methods ● JS to JS (Cross window communication): ○ Iframe ○ postmessage ● Following example will use www.A.com and www.B.com
Iframe ● You have to control both www.A.com and www.B.com. ● Constrains about iframe: ○ A parent window cannot read anything from child iframe with different domain. ○ A parent window can read/write properties of an iframe if they are on the same domain. Even it is inside other iframes that isn’t on the same domain. ○ A parent window can traverse known elements in an iframe. ■ windows.Bframe.Aframe.XXX ○ A parent window can determine the url when creating the iframe.
Iframe B.com is embemded in A.com.
Iframe If B.com want to talk to A.com. Create a child iframe with url: www.A.com/#data
Iframe Outer window A.com can read the location hash of that iframe. windows.Bframe.Aframe.location.hash To get the inner iframe: ● polling for the iframe ● resize the iframe when data changed. Attach an event listener for iframe size change.
Iframe ● No browser version limit, it works on IE/Chrome/Firefox of almost every versions. ● More like a HACK. ● Facebook SDK use it as a final method if postmessage doesn’t work. So what is postmessage???
Postmessage ● A javascript API. ● A method of window object. ● Very easy to use. ● Browser support: IE Chrome FireFox Opera Safari 8.0 1.0 6.0 9.5 4.0
Postmessage ● You have to control both windowA(www.A.com) and window B(www.B.com). ● Basic Usage: This window is instance of window A
Cross-Domain Methods ● JS to Server: ○ Server side proxy ○ jsonp ○ HTTP CORS header ● Following example will use www.A.com and www.B.com ● Client script on A.com want to acces API in B.com.
Server Side Proxy ● A workaround to avoid same origin policy of browser.
Server Side Proxy ● A workaround to avoid same origin policy of browser.
Server Side Proxy ● Disadvantage: ○ Increase backend server loading. ○ a little complicated to implement.
Jsonp ● Use script tag ○ Script tag is not restricted by same origin policy. ○ Script tag imports an embedded script. ○ Server side can return a piece of scripts including json data.
Jsonp Example:
Jsonp ● Easy to use for data passing. ● jQuery implement jsonp into it ajax method. ○ Need specify datatype as ‘jsonp’
CORS Header ● Cross-Origin Resource Sharing(CORS) is a W3C draft which define rules for browser and server cross-origin communication. ● Simple request: Only use GET, HEAD, POST ● Preflighted request: method other than GET, HEAD, POST
CORS Header ● Server side response with CORS header: ○ "Access-Control-Allow-Origin" ■ A white list for domains which are allow to communicate with this server. ■ Access-Control-Allow-Origin: http://www.synolog.com ■ Access-Control-Allow-Origin *
CORS Header ● Server side response with CORS header: ○ "Access-Control-Allow-Methods" ■ Methods are allowed to used in preflighted request. ■ Access-Control-Allow-Methods: GET, HEAD, POST, ...
CORS Header ● Server side response with CORS header: ○ "Access-Control-Allow-Credentials" ■ Determine whether an ajax can do withCredentails request ● a withCredentail=true ajax request will send with cookies and authorization headers. In other words, cookies will send to a side with different domain. ■ If ajax send request with “withCredentaila=true” and server response access-control-allow-credentials:false, browser will reject this response. ■ Access-Control-Allow-Origin cannot be wildcard(*) when ajax call with withCredentail=true.
CORS Header Example response:
Thanks Q & A

Recommended

Same origin policy
Same origin policySame origin policy
Same origin policyVivek Madurai
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicysubbul
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 

Recommended

Same origin policy
Same origin policySame origin policy
Same origin policyVivek Madurai
 
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicyBrowsers_SameOriginPolicy_CORS_ContentSecurityPolicy
Browsers_SameOriginPolicy_CORS_ContentSecurityPolicysubbul
 
Breaking The Cross Domain Barrier
Breaking The Cross Domain BarrierBreaking The Cross Domain Barrier
Breaking The Cross Domain BarrierAlex Sexton
 
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016
Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016Evan J Johnson (Not a CISSP)
 
Cross-domain requests with CORS
Cross-domain requests with CORSCross-domain requests with CORS
Cross-domain requests with CORSVladimir Dzhuvinov
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
Modernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsModernizr, Yepnope, and Polyfills
Modernizr, Yepnope, and PolyfillsAlex Sexton
 
Web Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSWeb Security - Cookies, Domains and CORS
Web Security - Cookies, Domains and CORSPerfectial, LLC
 
Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSMichael Neale
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architectureRalu Mihordea
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Robots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationRobots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationJahid Hasan
 
Your first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationYour first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationJérôme Verstrynge
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
J s o n
J s o nJ s o n
J s o nnasifalnahian
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web ServiceHiraq Citra M
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
Web Architecture
Web ArchitectureWeb Architecture
Web Architecturesudip pudasaini
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexing
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexingLukasz Zelezny - LAC 2017 - Optimising site structure for indexing
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexingiGB Affiliate
 
Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Droidcon Eastern Europe
 
Introduction to Rest Protocol
Introduction to Rest ProtocolIntroduction to Rest Protocol
Introduction to Rest ProtocolAvinash Ketkar
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Browser extension
Browser extensionBrowser extension
Browser extensionCosmin Stefanache
 
Improving spam detection with automaton
Improving spam detection with automatonImproving spam detection with automaton
Improving spam detection with automatonAntonio Costa aka Cooler_
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A HackerPaul Tarjan
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin PolicyFabrizio Farinacci
 
Scraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPPaul Redmond
 

More Related Content

What's hot

Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSMichael Neale
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architectureRalu Mihordea
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecuritySanjeev Verma, PhD
 
Robots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationRobots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationJahid Hasan
 
Your first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationYour first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationJérôme Verstrynge
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web ServiceHiraq Citra M
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexing
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexingLukasz Zelezny - LAC 2017 - Optimising site structure for indexing
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexingiGB Affiliate
 
Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Droidcon Eastern Europe
 
Introduction to Rest Protocol
Introduction to Rest ProtocolIntroduction to Rest Protocol
Introduction to Rest ProtocolAvinash Ketkar
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A HackerPaul Tarjan
 

What's hot (20)

Cross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORSCross site calls with javascript - the right way with CORS
Cross site calls with javascript - the right way with CORS
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architecture
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
Robots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml CreationRobots.txt and Sitemap.xml Creation
Robots.txt and Sitemap.xml Creation
 
Your first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementationYour first sitemap.xml and robots.txt implementation
Your first sitemap.xml and robots.txt implementation
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
J s o n
J s o nJ s o n
J s o n
 
Basic Introduction About API Web Service
Basic Introduction About API Web ServiceBasic Introduction About API Web Service
Basic Introduction About API Web Service
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
 
Web Architecture
Web ArchitectureWeb Architecture
Web Architecture
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexing
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexingLukasz Zelezny - LAC 2017 - Optimising site structure for indexing
Lukasz Zelezny - LAC 2017 - Optimising site structure for indexing
 
Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...Preparing your web services for Android and your Android app for web services...
Preparing your web services for Android and your Android app for web services...
 
Introduction to Rest Protocol
Introduction to Rest ProtocolIntroduction to Rest Protocol
Introduction to Rest Protocol
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with Lumen
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Browser extension
Browser extensionBrowser extension
Browser extension
 
Improving spam detection with automaton
Improving spam detection with automatonImproving spam detection with automaton
Improving spam detection with automaton
 
How To Be A Hacker
How To Be A HackerHow To Be A Hacker
How To Be A Hacker
 

Similar to Cross-Domain Communication Methods in JavaScript

Scraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPPaul Redmond
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHPSeravo
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome ExtensionsRon Reiter
 
You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)Igalia
 
Stay Out Please
Stay Out PleaseStay Out Please
Stay Out Pleaseefim13
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATIONkrutitrivedi
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJSBen Lau
 
Phone Home: A client-side error collection system
Phone Home: A client-side error collection systemPhone Home: A client-side error collection system
Phone Home: A client-side error collection systemChris Birchall
 
New Features Coming in Browsers (RIT '09)
New Features Coming in Browsers (RIT '09)New Features Coming in Browsers (RIT '09)
New Features Coming in Browsers (RIT '09)jeresig
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...JosephTesta9
 
HTML5 New Features and Resources
HTML5 New Features and ResourcesHTML5 New Features and Resources
HTML5 New Features and ResourcesRon Reiter
 
Developing Rich Internet Applications with Perl and JavaScript
Developing Rich Internet Applications with Perl and JavaScriptDeveloping Rich Internet Applications with Perl and JavaScript
Developing Rich Internet Applications with Perl and JavaScriptnohuhu
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Ivo Andreev
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)NSConclave
 

Similar to Cross-Domain Communication Methods in JavaScript (20)

The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
 
Scraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHPScraping the web with Laravel, Dusk, Docker, and PHP
Scraping the web with Laravel, Dusk, Docker, and PHP
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHP
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
Building Chrome Extensions
Building Chrome ExtensionsBuilding Chrome Extensions
Building Chrome Extensions
 
You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)You Can Work on the Web Patform! (GOSIM 2023)
You Can Work on the Web Patform! (GOSIM 2023)
 
Stay Out Please
Stay Out PleaseStay Out Please
Stay Out Please
 
PHP BASIC PRESENTATION
PHP BASIC PRESENTATIONPHP BASIC PRESENTATION
PHP BASIC PRESENTATION
 
Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)
 
Making Chrome Extension with AngularJS
Making Chrome Extension with AngularJSMaking Chrome Extension with AngularJS
Making Chrome Extension with AngularJS
 
Phone Home: A client-side error collection system
Phone Home: A client-side error collection systemPhone Home: A client-side error collection system
Phone Home: A client-side error collection system
 
New Features Coming in Browsers (RIT '09)
New Features Coming in Browsers (RIT '09)New Features Coming in Browsers (RIT '09)
New Features Coming in Browsers (RIT '09)
 
Apache Cordova
Apache CordovaApache Cordova
Apache Cordova
 
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
BSides Rochester 2018: Chaim Sanders: How the Cookie Crumbles: Modern HTTP St...
 
How browser work
How browser workHow browser work
How browser work
 
HTML5 New Features and Resources
HTML5 New Features and ResourcesHTML5 New Features and Resources
HTML5 New Features and Resources
 
Developing Rich Internet Applications with Perl and JavaScript
Developing Rich Internet Applications with Perl and JavaScriptDeveloping Rich Internet Applications with Perl and JavaScript
Developing Rich Internet Applications with Perl and JavaScript
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Introduction to Web Designing
Introduction to Web DesigningIntroduction to Web Designing
Introduction to Web Designing
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
 

Recently uploaded

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 

Cross-Domain Communication Methods in JavaScript

  • 2. Outline ● Why we need cross-domain communication? ● Same origin policy. ● Cross-domain methods ○ JS to JS ■ Iframe ■ postmessage ○ JS to Server side ■ Server side proxy ■ jsonp ■ HTTP cross domain header - CORS
  • 3. Why We Need Cross-Domain Communication? ● Third party API ○ JS API ■ ex: Facebook SDK ○ Server side API ■ ex: Flickr API
  • 4. Same Origin Policy ● Browser restricts how a document/script interact with one from another origin. ○ Security concerns: ■ like CSRF attack. ○ Some cross-origin resources are allowed: ■ stylesheets ■ script ■ frame/iframe(can be disabled by X-Frame-Options) ○ For XMLHttpRequest(Ajax): ■ Url which Ajax called must be in the same origin in current page.
  • 7. Same Origin Policy ● Origin example: URL Outcome Reason http://store.company.com/dir2/other.html http://store.company.com/dir/inner/another.html same origin https://store.company.com/secure.html different origin protocol http://store.company.com:81/dir/etc.html different origin port http://news.company.com/dir/other.html different origin url
  • 8. Cross-Domain Methods ● JS to JS (Cross window communication): ○ Iframe ○ postmessage ● Following example will use www.A.com and www.B.com
  • 9. Iframe ● You have to control both www.A.com and www.B.com. ● Constrains about iframe: ○ A parent window cannot read anything from child iframe with different domain. ○ A parent window can read/write properties of an iframe if they are on the same domain. Even it is inside other iframes that isn’t on the same domain. ○ A parent window can traverse known elements in an iframe. ■ windows.Bframe.Aframe.XXX ○ A parent window can determine the url when creating the iframe.
  • 11. Iframe If B.com want to talk to A.com. Create a child iframe with url: www.A.com/#data
  • 12. Iframe Outer window A.com can read the location hash of that iframe. windows.Bframe.Aframe.location.hash To get the inner iframe: ● polling for the iframe ● resize the iframe when data changed. Attach an event listener for iframe size change.
  • 13. Iframe ● No browser version limit, it works on IE/Chrome/Firefox of almost every versions. ● More like a HACK. ● Facebook SDK use it as a final method if postmessage doesn’t work. So what is postmessage???
  • 14. Postmessage ● A javascript API. ● A method of window object. ● Very easy to use. ● Browser support: IE Chrome FireFox Opera Safari 8.0 1.0 6.0 9.5 4.0
  • 15. Postmessage ● You have to control both windowA(www.A.com) and window B(www.B.com). ● Basic Usage: This window is instance of window A
  • 16. Cross-Domain Methods ● JS to Server: ○ Server side proxy ○ jsonp ○ HTTP CORS header ● Following example will use www.A.com and www.B.com ● Client script on A.com want to acces API in B.com.
  • 17. Server Side Proxy ● A workaround to avoid same origin policy of browser.
  • 18. Server Side Proxy ● A workaround to avoid same origin policy of browser.
  • 19. Server Side Proxy ● Disadvantage: ○ Increase backend server loading. ○ a little complicated to implement.
  • 20. Jsonp ● Use script tag ○ Script tag is not restricted by same origin policy. ○ Script tag imports an embedded script. ○ Server side can return a piece of scripts including json data.
  • 22. Jsonp ● Easy to use for data passing. ● jQuery implement jsonp into it ajax method. ○ Need specify datatype as ‘jsonp’
  • 23. CORS Header ● Cross-Origin Resource Sharing(CORS) is a W3C draft which define rules for browser and server cross-origin communication. ● Simple request: Only use GET, HEAD, POST ● Preflighted request: method other than GET, HEAD, POST
  • 24. CORS Header ● Server side response with CORS header: ○ "Access-Control-Allow-Origin" ■ A white list for domains which are allow to communicate with this server. ■ Access-Control-Allow-Origin: http://www.synolog.com ■ Access-Control-Allow-Origin *
  • 25. CORS Header ● Server side response with CORS header: ○ "Access-Control-Allow-Methods" ■ Methods are allowed to used in preflighted request. ■ Access-Control-Allow-Methods: GET, HEAD, POST, ...
  • 26. CORS Header ● Server side response with CORS header: ○ "Access-Control-Allow-Credentials" ■ Determine whether an ajax can do withCredentails request ● a withCredentail=true ajax request will send with cookies and authorization headers. In other words, cookies will send to a side with different domain. ■ If ajax send request with “withCredentaila=true” and server response access-control-allow-credentials:false, browser will reject this response. ■ Access-Control-Allow-Origin cannot be wildcard(*) when ajax call with withCredentail=true.