JS security issue with Opera 11.01, after moving from server A to B

Asked 31/3, 2011 at 13:22 Answered 17/4, 2011 at 17:0

I have a outer HTML-document (subdomain1.server-a.de) with an iFrame and inner HTML-document (subdomain2.server-a.de). The inner script should send & receive AJAX-requests to subdomain2.server-a.de. I've set the document.domain-value for both documents to "server-a.de" - so far, so good, works well in all tested browsers (FF/Chrome/Opera). Now I move the scripts to server-b.de with same subdomains and set the document.domain on both documents to "server-b.de". That still works in FF and Chrome, but Opera gives me a "Security error: attempted to read protected variable: xy" when trying to call my AJAX function from the outer document.

My conclusion so far: I can't violate the same domain policy, because then FF and Chrome wouldn't communicate with the inner document from outside either. I've also tried the solution from Focus with Cross-domain Ajax in Opera with the interval function, same issue.

Thanks a lot in advance for every hint.

UPDATE: I have set up a testing site for this. If you go to this site, you'll see, it works even with Opera (a dialog pops up with "Test called" after a few seconds). Now, if you copy the outer frame files "operatest.html" and jquery to another server - so it has to work in my case - you'll see, that FF and Chrome don't have a problem, but Opera has.

Is Opera comparing server details in order to fulfill the same origin policy? Or will it deny access, if ip adresses of both subdomains don't match?

Greenock answered 31/3, 2011 at 13:22 Comment(1)

what are the IP addresses of the subdomains? Opera has some "cross-network" protection that tries to prevent scripting across internet/intranet barriers, but I have no idea if it could cause this. – Pederast 8/4, 2011 at 19:52

Sounds like it might be a timing issue, i.e. the outer document tries to initiate the request before the inner document has run the script that sets document.domain?? Or perhaps Opera has cached the IFRAME contents and you initially loaded a version where the script inside the IFRAME was wrong and didn't set document.domain correctly?

Pederast answered 4/4, 2011 at 13:30 Comment(1)

That was my first thought, but it also occurs with setInterval and a waiting time of 10 seconds before trying to access a variable from the iframe. I'll post some example scripts later, then you can try if you want to. – Greenock 5/4, 2011 at 7:55

I suggest you forget the document.domain approach and use window.postMessage() (AKA HTML5-style cross-document messaging) instead. http://www.whatwg.org/specs/web-apps/current-work/multipage/comms.html#web-messaging

Pederast answered 8/4, 2011 at 19:59 Comment(0)

Had the same absurd issue with JS calls between parent and an iframe on a different subdomain - worked everywhere, but failed under Opera with the above mentioned error.

Removing ~/.opera folder (Opera settings folder in Linux) solved this, and another one very weird problem.

Cheers.

Dilatant answered 17/4, 2011 at 17:0 Comment(0)

Recommended topics

Hot tags