When using cross origin urls for images with the canvas api, if the image is cross origin I am getting a tainted canvas exception. MDN Allowing cross-origin use of images and canvas. Changing crossOrigin=”anonymous” fixes the issue; however, is it okay to always do that? Or should I check the url first to make sure that it really is crossOrigin
Tag: cross-domain
HttpOnly Cookies not found in Web Inspector
I am working on user authentication for a website built using the MERN stack and I have decided to use JWT tokens stored as HttpOnly cookies. The cookie was sent in a “Set-Cookie” field in response header when I used Postman to make the request but not in the Safari Web Inspector as shown in the image below. There are
iframe not reading cookies in Chrome
Chrome is not allowing a child iframe to read its own cookies. I have a parent webpage with a child iframe: parent at https://first-site.com child at <iframe src=”https://second-site.com”> (inside of parent) cookie set with path: ‘/’ secure: true httpOnly: false domain: ‘.second-site.com’ I control both sites, and I want the iframe to perform an operation within the iframe that requires
Use window.open but block use of window.opener
A while back I ran across an interesting security hole Looks innocuous enough, but there’s a hole because, by default, the page that’s being opened is allowing the opened page to call back into it via window.opener. There are some restrictions, being cross-domain, but there’s still some mischief that can be done Now, HTML has a workaround That prevents the
Fetching metadata from url
I have used Jsoup library to fetch the metadata from url. But I want to do it in client side using javascript Answer You can’t do it client only because of the cross-origin issue. You need a server side script to get the content of the page. OR You can use YQL. In this way, the YQL will used as
Internet Advertisers and Third-Party Cookies – clarification?
I’ve read this question about how third party cookie are set , which is a subject I already know : it can be done via three ways : Script (application/javascript)mime type ( which is generated at server side) which can also set cookie. ( along with the script response). img link <IMG href=”http://www.advertiser.exmaple/add.cgi?source=example.com&user=1032354″> form submission to an iframe ( for
Problems with window.postMessage on Chrome
I have been stuck on this for hours. I have a.html on http://example.com that contains an iframe with src to b.html on http://subdomain.example.com. a.html has some JS code to postMessage to the iframe. The code to postMessage is simple: But this way, Chrome throws an error: I have also tried: But NO LUCK! This is the ONLY WAY it works:
Cross-domain connection in Socket.IO
Is it possible to use Socket.IO in a cross domain manner? If so, how? The possibility is mentioned around the web but no code examples are given anywhere. Answer Quoting the socket.io FAQ: Does Socket.IO support cross-domain connections? Absolutely, on every browser! As to how it does it: Native WebSockets are cross-domain by design, socket.io serves a flash policy file