Questions tagged [crossdomain]
55 questions
1
vote
1 answer
what prevents sending "$.post" from one domain to another?
I have one website in chromium tab, and an other website in another tab,
Im executing single post command in the second website - $.post(...); to the first website.
Originaly its not working (getting: "No ‘Access-Control-Allow-Origin’ header is…
Dannynis
- 33
- 1
- 6
1
vote
1 answer
No Preflight Request is made during XHR cross-origin request
I made a XHR cross-origin request from a html file, hosted on a python Simple HTTP Server.
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://www.facebook.com/favicon.ico", true);
xhr.withCredentials = true;
xhr.onload = function () {
…
aka_007
- 79
- 1
- 3
- 8
1
vote
1 answer
Secure crossdomain for rtmp/flash streaming/wowza
I've been a bit lost. I have the following situation:
Flash Player file is on https://sub.example.com/player.swf
crossdomain.xml is on https://sub2.example.com/crossdomain.xml
Streaming is done using Wowza.
The crossdomain.xml right now is…
user857990
- 903
- 1
- 9
- 21
1
vote
1 answer
Would the CORS specification consider a missing Content-Type header to imply a "simple header"?
RFC 7231, Section 3.1.1.5 states:
A sender that generates a message containing a payload body SHOULD
generate a Content-Type header field in that message unless the
intended media type of the enclosed representation is unknown to the
sender. If a…
Parker
- 400
- 1
- 3
- 15
1
vote
1 answer
When is CORS applied?
I'm including some RUM (Real User Monitoring) JavaScript on a client's website that beacons back performance info. I was expecting to run into CORS issues but it seems to be working without any warnings or errors.
Scenario
App -…
bcooper
- 13
- 2
0
votes
1 answer
COOP and COEP: Is there an advantage to enabling COOP / COEP if I don't need to use the sharedArrayBuffer or other features?
COOP: cross origin opener policy
COEP: Cross origin embedder policy
Most of the articles on the web, related to COOP / COEP, point to the fact that by enabling COOP / COEP , your web page can use the sharedArrayBuffer and some other precision timer…
gaurav5430
- 171
- 9
0
votes
0 answers
I have CSRF protection implemented server side, can I safely use `SameSite=None; Secure; HttpOnly`?
We have a web service where GET is always safe and all unsafe POST requests use single-use CSRF tokens. We have some cases where cross-origin domain would need to pass us POST request with data that should be used with currently active user session…
Mikko Rantalainen
- 513
- 2
- 11
0
votes
1 answer
Are there security issues around controlled cross site sharing behind SSO?
Very simply we have a ton of websites at our company behind SSO.
I am having a hard time figuring out what security issues there are if we open cross-site sharing between these sites but wanted to get a broader view. This is really a result of…
blankip
- 108
- 1
- 6
0
votes
1 answer
Inconsistent behavior while attempting to exploit a misconfigured flash crossdomain.xml
victim.com - URL of the misconfigured application.
https://victim.com has an overly permissive crossdomain.xml at https://victim.com/crossdomain.xml.
hax
- 3,851
- 1
- 16
- 34
0
votes
2 answers
Setting Access-Control-Allow-Origin: * when session identifiers are injected in the HTTP headers
Is it considered as secure for an application to set a header access-control-allow-origin: * if during the normal usage of the application, the client credentials are injected in the headers by the JS code? E.g.:
GET…
christophetd
- 217
- 1
- 12