Highest Voted 'crossdomain' Questions - IT Security Stack Exchange

4

votes

1 answer

Crossdomain.xml vulnerabilities

I would like to ask two questions: Is this crossdomain.xml vulnerable (the file is placed…

web-application crossdomain

asked Aug 19 '15 at 20:43

Michal Koczwara

1,580
3
15
27

4

votes

0 answers

Cross Origin Resource Sharing question

I have some mockup html/javascript on my desktop, I made an ajax GET call to: http://www.bungie.net/platform/Destiny/TigerPSN/Account/4611686018429149347/Character/2305843009215132906/Activities/ and got back 200 OK with results. But I noticed that…

http rest crossdomain

asked Mar 20 '15 at 13:49

Robert Fralin

41
1

4

votes

4 answers

How to securely set a cookie on another subdomain?

I have a microservice app. hub.example.com handles authentication. When a users logs in, I need to set a cookie on learn.example.com What is a secure way to set this? I'm aware of a few approaches: hub sets the cookie on example.com This works, but…

cookies session-management crossdomain

asked Apr 20 '20 at 16:51

paj28

32,736
8
92
130

4

votes

1 answer

What are the security implications of enabling CORS for images?

The company I work for runs a user profile photo server. I would like to fetch, visually modify (add a blur, some effects, etc.), and display those images in

web-application crossdomain

asked May 27 '16 at 16:09

Oleg

189
6

4

votes

3 answers

3rd party API access: Is OAuth really required?

Having a web application with a REST API (say, our-app.com), we want to open our API to 3rd party web applications (say, their-app.com). After some research, having read about OAuth, OpenID Connect, etc., I doubt if these are really required for our…

authentication oauth authorization api crossdomain

asked Mar 25 '16 at 18:38

mh8020

225
2
5

4

votes

2 answers

Is the following authentication solution safe or am I missing something?

Context: I have two web servers ServerA (LAMP stack) and ServerB (ASP.NET stack). I think the technology (hopefully) does not matter. Both servers require authentication and supposedly doing their job well, if not that is out of scope in this…

authentication web-application cookies crossdomain

asked Mar 22 '16 at 13:16

g.pickardou

220
1
6

3

votes

2 answers

Will a crossdomain.xml file reduce a potential security risk?

I maintain a website were users are allowed to upload files. I'm doing already some good MIME-checks, consistency checks, virus checks, blacklist checks based on hash lists, some other custom checks and also I used most of the best-practices around…

access-control file-upload risk-management risk crossdomain

asked Apr 22 '15 at 17:36

Bob Ortiz

6,234
8
43
90

3

votes

1 answer

Is there any way to access the contents of a cross domain iframe

I found that a subdomain of a site leaks all cookies of the site due to improper error handling. Now, I found that this site does not have X-Frame Options Header in it. So, I put this subdomain in the iframe tag and it starts working. However, is…

web-application web-browser iframe crossdomain

asked Mar 17 '20 at 17:40

Phenomenal One

133
5

3

votes

1 answer

Is xhr.withCredentials making POST endpoints vulnerable to CSRF?

From what I've seen, someone can add the following code to a malicious site (lets say: http://sth.malicioussite.com) and be able to perform ajax post requests to a 3rd party site, along with any cookies set before: var xhr = new…

csrf ajax cors crossdomain

asked Mar 27 '19 at 15:29

Marinos An

191
6

3

votes

2 answers

Automatic's Jetpack login auth....Why isn't this a security flaw?

I’m framing this question vis-a-vi Automatic and Jetpack, but I think it’s about something I don’t personally understand that is happening in a WordPress context, so I’m posting here. It’s not about Automatic though, this could be any general case.…

crossdomain

asked Aug 30 '17 at 05:04

Jim Maguire

139
3

3

votes

1 answer

Access control allow origin browser protection efficiency

I was building a website as an experiment, and tried using few ajax requests to different sites. On some sites I will get an error: XMLHttpRequest cannot load http://example.com/path No 'Access-Control-Allow-Origin' header is present on the…

web-application csrf crossdomain cors

asked Jul 04 '16 at 23:14

t0m9er

31
1

3

votes

1 answer

Is a Kerberos ticket valid with only one-way external trust between domains?

The situation is that I have two domains (Domain A and Domain B) that live on separate networks. I need to allow users in B to be authenticated with integrated windows authentication (IWA) when they hit a web app deployed on an IIS server in A.…

authentication iis active-directory kerberos crossdomain

asked Jun 28 '16 at 20:42

Doc Rinehart

33
4

3

votes

2 answers

Is crossdomain policy file required by EVERY web application?

1) If a web application does NOT use any Flash content, does it require crossdomain / clientacess policy file ? 2) If a web application does not host crossdomain / clientaccess policy file, is it vulnerable ?

web-application flash crossdomain saas

asked May 04 '16 at 10:09

Kshitij Desai

31
2

3

votes

1 answer

Single Page Application with REST API backend based on XML, queried by dynamic XPath

A web application I'm developing will be a Single Page Application (SPA) that will interact with a REST API backend, through jQuery.ajax() calls. The SPA and API will both be served over an https/TLS connection. The API will be served from a…

tls authentication rest xml crossdomain

asked May 02 '16 at 18:42

Decent Dabbler

133
4

2

votes

1 answer

Cross Domain Javascript security

I used a web vulnerability scanner to scan my web site. It indicates several links with "Cross domain Java script source file inclusion." May I know how would an attacker exploit this type of vulnerability, exactly? For example, the JS in question…

web-browser webserver javascript web-scanners crossdomain

asked Mar 04 '15 at 10:48

dorothy

715
1
7
18

Questions tagged [crossdomain]