Highest Voted 'crossdomain' Questions - IT Security Stack Exchange

2

votes

1 answer

SubtleCrypto with non-extractable keys stored in IndexedDB - Cross Origin Usage

In a browser I want to use SublteCrypto (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto) to create a key pair and store it locally in the IndexedDB (https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API). Storing the key pair…

crossdomain web-crypto-api

asked Jul 23 '21 at 14:57

dominik

21
2

2

votes

1 answer

Cross-domain session standardization

I am looking into cross-domain sessions. These are sessions which are shared between two domains like google.com and spotify.com. I'm not looking for information regarding cross-domain sessions between sub-domains since they can be shared by…

session-management crossdomain

asked May 15 '16 at 19:10

Silver

1,824
11
23

2

votes

1 answer

OpenID Connect: API access using same identity provider

Does OpenID Connect support the following SSO-like scheme: Both website S and some meta-website M support login using OpenID Connect, e.g. with a Google account. Is it possible for M to access a user's data at S, with the user being authenticated…

oauth api openid-connect crossdomain

asked Mar 30 '16 at 13:10

mh8020

225
2
5

2

votes

1 answer

Accesssing cookies of another domain using Iframes and Javascript

Using Iframe we can embed webpages of another domain provided the X-Frame-Options isn't set to SAMEORIGIN. This also loads the cookie inside the iframe. Now, one can access this cookie if it's in the iframe box using document.cookie. I wanted to ask…

javascript cookies crossdomain

asked Feb 09 '16 at 08:13

aka_007

79
1
3
8

1

vote

1 answer

Best way to deal with cross-domain authentication in intranet

Firstly, I'm not sure if this is valid board to ask this question - maybe it should be asked on StackOverflow? Overview on use-case, what we trying to achieve: Two servers, on two different domains; Available only from inside (intranet) SharePoint…

authentication oauth kerberos adfs crossdomain

asked Aug 19 '15 at 20:43

ppatalong

121
1
5

1

vote

2 answers

HTTP/S <-> HTTP/S cross-site requests: what do third-party websites know about where their objects are being referenced from?

There are four general cross-site request combinations security-wise, and I want to know whether ysite.com, in each case, knows that the reason I downloaded one of its resources was because I was visiting the specific URL that referenced it…

tls privacy third-party referer crossdomain

asked Jan 10 '15 at 15:50

user21377

1

vote

1 answer

Iframe postmessage fraud

I've reviewed some material here and in other sites relating to secure usage of Window.postMessage. There is a bunch of material regarding best practices but one of my questions remained unanswered. From what I was able to understand, the…

web-application appsec html-5 crossdomain

asked Dec 21 '14 at 20:25

user3074662

541
2
6
11

1

vote

1 answer

Is it secure to use window.origin with postMessage?

When using postMessage it's important to define a targetOrigin to ensure we don't leak data to other sites. It's equally important to check the origin when receiving a message to prevent other sites from triggering our scripts. But, if we're just…

web-browser javascript crossdomain

asked Nov 24 '20 at 23:02

Jamie G

111
2

1

vote

2 answers

Cross-Domain Request is a CSRF Attack? (CORS)

CORS is a HTTP Suite header that “relax” the SOP. One of the CORS misconfigurations is about to reflect without reg exp the “Origin” client header into “ACAO” response header. If it happens with “ACAC:true” every cross-domain HTTP request is…

csrf token cors crossdomain

asked Jul 09 '20 at 21:03

Zefiro38

21
3

1

vote

1 answer

How did a malicious website managed to serve me the app that is running on my local apache server?

Today I accidentally miss-typed a popular's website domain, which led me to a malicious website. I realized immediately but before I had time to close the tab, I was surprised to be presented with the web app that I am running locally on apache. The…

php apache crossdomain

asked Dec 18 '19 at 18:15

pppfff604

21
3

1

vote

1 answer

security issues related to setting cookie using an tag

Site A will be having an tag with src= attribute as an absolute URL pointing to site B. Site B will return an image response, and in that response a cookie will be set (cookie of Site B's domain). This is being done because safari browser…

vulnerability cookies websites iframe crossdomain

asked Sep 10 '19 at 09:56

void

113
6

1

vote

3 answers

How to stop app from fetching data from my website?

I am running a website that contains data that our users can access if they login. Someone else has created an Android app that lets users access that data as well. They enter their credentials, and the app then connects to another website. This…

web-application cors crossdomain

asked Jul 05 '19 at 08:01

Tech2K

11
2

1

vote

1 answer

What's the purpose of the preflight check on CORS requests?

A fellow developer and I were experiencing a weird issue with our application in the past couple of days. Specifically, he's writing the API and I'm writing the web front end. Since the UI runs from a different port, we have to setup CORS in the…

cors crossdomain

asked Apr 26 '19 at 16:09

RLH

301
2
7

1

vote

2 answers

CORS clarification

I need some clarifications about the problems that CORS (Cross-Origin Resource Sharing) can cause. Let's suppose that site A.COM has enabled CORS, in particular: Access-Control-Allow-Origin can be set to any website in the HTTP request and it is…

http csrf cors crossdomain http2

asked Mar 31 '18 at 18:09

Edge7

130
11

1

vote

1 answer

Loading a logged in page in an iframe

Suppose www.youtube.com have no X-Frame-Options set. Imagine I'm already logged in to YouTube. Now from another web page in the same browser I'm loading YouTube in an iframe, will the browser send all the auth-cookies to the YouTube loaded in the…

cookies crossdomain clickjacking cross-frame-scripting

asked Mar 27 '18 at 10:56

3lokh

181
5

Questions tagged [crossdomain]