Window.opener Cross Domain Call

June 25, 2023 Post a Comment

I have two subdomains www.example.com and api.example.com. On a page from first domain I open popup window with url api.example.com/some/url and want to use window.opener object to

Solution 1:

It's not a bug, it's a security feature. Otherwise, someone else can have your site open up from theirs and inject data into your page without your users knowing.

Read: http://en.wikipedia.org/wiki/Same_origin_policy

Certainly, having the same SLD could indicate that they are from the same origin, but that isn't guaranteed to be the case, for example, hosting sites that allow free subdomains would be vulnerable.

Solution 2:

It is possible to pass data between www.example.com and api.example.com but not with window.opener. You can set a value in a cookie with Javascript (document.cookie) on the .example.com domain (not www.example.com) and it will be readable on www.example.com and api.example.com.

On a page from www.example.com, if you execute this Javascript: (source: http://techpatterns.com/downloads/javascript_cookies.php) then the "somename" cookie will be readable from api.example.com

functionSet_Cookie( name, value, expires, path, domain, secure )
{
// set time, it's in millisecondsvar today = newDate();
today.setTime( today.getTime() );

/*
if the expires variable is set, make the correct
expires time, the current script below will set
it for x number of days, to make it for hours,
delete * 24, for minutes, delete * 60 * 24
*/if ( expires )
{
expires = expires * 1000 * 60 * 60 * 24;
}
var expires_date = newDate( today.getTime() + (expires) );

document.cookie = name + "=" +escape( value ) +
( ( expires ) ? ";expires=" + expires_date.toGMTString() : "" ) +
( ( path ) ? ";path=" + path : "" ) +
( ( domain ) ? ";domain=" + domain : "" ) +
( ( secure ) ? ";secure" : "" );
} 


Set_Cookie("somename", "somevalue", 0, "/", ".example.com");

Solution 3:

<script>document.domain = 'facebook.com';
try {
    try{
        if (window.opener && window.opener.graphexplorer) {
            window.opener.graphexplorer.authCallback(window.location.hash);
        }
    }catch(e){}
}
catch (e) {}

window.location.hash = '';
window.close();
</script>

Solution 4:

<script> document.domain = 'facebook.com'; try { try{if (window.opener && <script>document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>

Solution 5:

<script>document.domain = 'facebook.com'; try { try{if (window.opener && window.opener.graphexplorer) { window.opener.graphexplorer.authCallback(window.location.hash); }}catch(e){}} catch (e) {} window.location.hash = ''; window.close(); </script>

javascript nyumon