homepage Welcome to WebmasterWorld Guest from 50.16.112.199
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
new window and make new window can't access current domain cookie
how?
Xuefer

10+ Year Member



 
Msg#: 748 posted 12:24 pm on May 25, 2003 (gmt 0)

var w = window.open();
w.document.write(htmlcode);
w.document.close();

but i don't want the script in htmlcode to access the current domain

e.g.: alert(document.cookie) alert(document.opener.cookie)

 

tedster

WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 748 posted 10:06 pm on May 25, 2003 (gmt 0)

Sorry, but I can't quite parse what you're asking here. Could you expand on your needs a bit more?

Xuefer

10+ Year Member



 
Msg#: 748 posted 2:30 am on May 26, 2003 (gmt 0)

hm.,..
i have a page that allow user to post html codes
and let other users to press a button to "preview" the html code in a new open window

there's nothing to do and no need to care about "explode" scripts, let the browser patches or anti virus software to do it
what i worried about is, when preview, the code is able to access cookies in www.mydomain.com (suppose this is my domain)

so, is it possible to seprate that code away from my domain?

tedster

WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 748 posted 2:55 am on May 26, 2003 (gmt 0)

If I understand you correctly, you're worried about this: Code that your users enter might access cookies that were written from the same domain.

Cookies are on the user's computer. If someone knows enough to enter a script that displays cookies, then they know enough to go into their own hard drive and read their own cookies directly. So you can't be worried about someone reading their own cookies.

Are you saying there is a possibility that one person might write a script that extracts a different user's cookies?

Xuefer

10+ Year Member



 
Msg#: 748 posted 4:24 am on May 26, 2003 (gmt 0)

thx tedster, you're so careful

i know users can access their own cookie
and yes, i'm saying that, one user can steal others cookie(same domain of cos), by submiting javascript code, and wait for other user to preview it. sooooo.... terrible security problem!

after long time thinking, i get a way to do:
when press "preview" button, submit the code to www.anotherdomain.com and output as "Content-type: text/html", so it can't access the user's cookie of www.domain.com
(all above domains is for example only)

but is this the only way? i have to prepair a standalone domain for this single problem :(

jomaxx

WebmasterWorld Senior Member jomaxx us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 748 posted 5:08 am on May 26, 2003 (gmt 0)

Yes, I can imagine ways that this could be done if you had the ability to post executable HTML and Javascript code on another domain.

The question is, what's in the cookies that would constitute a privacy risk? Probably nothing, but if you use cookies to "remember" user id's and passwords for people, for example, then that could be a genuine security risk.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved