homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

new window and make new window can't access current domain cookie

 12:24 pm on May 25, 2003 (gmt 0)

var w = window.open();

but i don't want the script in htmlcode to access the current domain

e.g.: alert(document.cookie) alert(document.opener.cookie)



 10:06 pm on May 25, 2003 (gmt 0)

Sorry, but I can't quite parse what you're asking here. Could you expand on your needs a bit more?


 2:30 am on May 26, 2003 (gmt 0)

i have a page that allow user to post html codes
and let other users to press a button to "preview" the html code in a new open window

there's nothing to do and no need to care about "explode" scripts, let the browser patches or anti virus software to do it
what i worried about is, when preview, the code is able to access cookies in www.mydomain.com (suppose this is my domain)

so, is it possible to seprate that code away from my domain?


 2:55 am on May 26, 2003 (gmt 0)

If I understand you correctly, you're worried about this: Code that your users enter might access cookies that were written from the same domain.

Cookies are on the user's computer. If someone knows enough to enter a script that displays cookies, then they know enough to go into their own hard drive and read their own cookies directly. So you can't be worried about someone reading their own cookies.

Are you saying there is a possibility that one person might write a script that extracts a different user's cookies?


 4:24 am on May 26, 2003 (gmt 0)

thx tedster, you're so careful

i know users can access their own cookie
and yes, i'm saying that, one user can steal others cookie(same domain of cos), by submiting javascript code, and wait for other user to preview it. sooooo.... terrible security problem!

after long time thinking, i get a way to do:
when press "preview" button, submit the code to www.anotherdomain.com and output as "Content-type: text/html", so it can't access the user's cookie of www.domain.com
(all above domains is for example only)

but is this the only way? i have to prepair a standalone domain for this single problem :(


 5:08 am on May 26, 2003 (gmt 0)

Yes, I can imagine ways that this could be done if you had the ability to post executable HTML and Javascript code on another domain.

The question is, what's in the cookies that would constitute a privacy risk? Probably nothing, but if you use cookies to "remember" user id's and passwords for people, for example, then that could be a genuine security risk.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved