3

Is it possible for a page opened with window.open to allow itself to be examined by a cross-origin opener? (This is for use in internal applications, so security is not a significant concern.) And if so, how? I've tried replacing all of the CORS and Same-Origin policies I can find and I still get Access Denied on all properties for a child window.

In particular I am trying to use Internet Explorer 11

Headers

These are all of the headers I've tried so far

Access-Control-Allow-Origin: http://web1.corp.local
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma
Access-Control-Expose-Methods: GET,POST,OPTION,PUT,DELETE,HEAD
X-Content-Security-Policy: default-src *;script-src *
Content-Security-Policy: default-src *;script-src *
X-XSS-Protection: 0
X-Permitted-Cross-Domain-Policies: all

What I'm trying to do...

I want web1.corp.local to execute some JavaScript on a page on web2.corp.local. I control both domains; I just some way for web2 to tell the browser its okay for web1 to read and execute things on web2.

Request on http://web1.corp.local

I'm trying to call javascript functions on the opened window from the opener. 

document.domain = "corp.local";
var web2 = window.open('http://web2.corp.local');
web2.document; //Throw "Access Denied"
web2.MyApp; // undefined

Javascript on http://web2.corp.local

document.domain = "corp.local";
var myapp = window.MyApp = {
    doWork: function() {
        alert('Hello World!');
    }
};

Note: I have a solution using an iframe proxy and window.postMessage but the app hosted on web2 doesn't work correctly from within an iframe.

Update: The issue was the two pages were not using the document.domain and I missed the exception on the opened window.

Matthew Whited
  • 22,160
  • 4
  • 52
  • 69
  • I think you meant something else by cross-site scripting than what it actually is. Did you mean cross-domain requests? – Gabor Lengyel Sep 12 '16 at 18:53
  • no, I mean cross site scripting. I need to make a request from a client session rendered on `http://web1.corp.local` to `http://web2.corp.local`. I used `window.open(...)` from `web1` but no matter what I do all os the properties of that opened window are presented as `access denied` – Matthew Whited Sep 12 '16 at 18:55
  • (And I didn't figure CORS would solve this but it was the best I could find.) – Matthew Whited Sep 12 '16 at 18:56
  • OK, I get what you are after and will try to craft an answer later unless somebody else does it before me. Please be aware though that cross-site scripting is something entirely different, cross-site scripting is a vulnerability when an attacker can inject his javascript into a page. – Gabor Lengyel Sep 12 '16 at 18:58
  • I understand that. I was expecting to find a header or something that would allow me to enable the calls. I don't want to turn of the XSS filter entirely. I just want to allow a session from web1 to call web2 – Matthew Whited Sep 12 '16 at 18:59
  • What problem are you actually trying to solve? – George Stocker Sep 12 '16 at 19:10
  • I added more details to my question. – Matthew Whited Sep 12 '16 at 19:12
  • `web2.MyApp; // undefined` because `window.open` opens just a window reference. `web2.document; //Throw "Access Denied"` this has nothing to do with `XSS` but Same Origin Policy. – bhantol Sep 12 '16 at 19:26
  • it is blocked because it doens't have the same origin. if I did `window.open(web1)` I have no problem accessing the document – Matthew Whited Sep 12 '16 at 19:27
  • 1
    I dont care what you call it I only know the problem I am running into. – Matthew Whited Sep 12 '16 at 19:28
  • Curious if `web2.document; //Throw "Access Denied` may be resolved by adding both web1 and web1 urls to Trusted Zone in IE11 Options. – bhantol Sep 12 '16 at 19:37
  • I eliminated "cross site scripting" from your question and edited to make it clearer what you're really asking. Feel free to revert any changes and further clarify if you think I've misrepresented your question. – apsillers Sep 12 '16 at 19:41
  • Have you looked into [PostMessage api](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) – Scott Fanetti Sep 12 '16 at 19:52
  • Does it work when you use click a link to call a javascript function which opens the child window? (as opposed to just using code to do it) – datasedai Sep 12 '16 at 20:08
  • Yes I tried postmessage and it won't work as I need to use IE and the loaded page can not be within an iframe. – Matthew Whited Sep 12 '16 at 20:08
  • The window is opened when a user clicks a button. It doesn't just open in load. I can try changing from a button to a hyperlink – Matthew Whited Sep 12 '16 at 20:10
  • `document.domain` might help in this case – Bergi Sep 12 '16 at 21:52
  • I was trying document.domain... and that was the solution. One of the urls wasn't under the domain i was being told. After I started over I resolved the issue. – Matthew Whited Sep 12 '16 at 22:06

2 Answers2

2

The issue was the document.domain. The second site was not in the same domain as the first. As soon as I changed the FQDN of web1 and used document.domain = corp.local the problem was solved.

I missed the exception being thrown by one of the javascript files on document.domain.

Matthew Whited
  • 22,160
  • 4
  • 52
  • 69
0

Apparently it is indeed broken in IE if it's cross-domain and between windows (not frames).

Have a look at this question: Is cross-origin postMessage broken in IE10?

Especially the answer by brunolau at the bottom looks promising and may be just what you need. There is hope in IE11, but they also mention an update breaking it again. It's strange to be honest, I can't see a security reason to make it not work with the constraints and considerations already worked out for frames.

On the other hand, I know it doesn't answer your question, but you may want to implement communication through the server anyway, which would remove dependence on browser pecularities (but that may be less of a concern for you if you only wanted to support IE 11).

Community
  • 1
  • 1
Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59