To the table of contents
Same origin policy
Let us assume that the URL is loaded in one frame and the URL is loaded in another frame of the same frameset. These two documents have the same origin, namely. Therefore, scripts from both documents can mutually access the other document, e.g. to read form data or cookies, to make changes via the DOM or to monitor events.
If, on the other hand, the URL of the second document is, then the same-origin policy blocks cross-document access. Because the origin is different, once and once.
The aim of the same-origin policy is to ensure that one website cannot access the data of another so easily. This would of course not be a problem if the other website is public anyway. On the other hand, it would be a serious security gap in websites that require registration and display confidential data - for example webmail services, communities and all customizable web applications.
The same-origin policy also applies, better known as Ajax. With, a script can send HTTP requests, transmit data to web servers and finally receive data. The same-origin policy ensures that only data from the same originating domain can be received using.
Such integration of scripts from external web servers is unfortunately common practice: online advertising, statistical scripts and social media widgets are integrated in this way. From a security perspective this is an extremely questionable practice. On the one hand, it is a useful feature because it brings web services to your own website. On the other hand, embedding someone else's code into your own site is a security risk - we will come back to this later in the context of cross-site scripting.
Same-origin policy and subdomains
The same-origin policy not only blocks access that encompasses so-called second-level domains (e.g. not allowed to access). The lock also blocks access between subdomains of the same domains. This means that a script in a document under has no access to a document under, although the domain is the same () and only the subdomain is different (de across from en).
This regulation may seem strict at first, but it is an important safety barrier. Because it is possible that there are different websites under one domain that do not want to share their data with each other. Even if both domains belong to one site, the different domains can be encapsulated and secured in this way.
This means that the document is accessible for scripts that are on a domain that ends with. So not only for, but also for or.
This scheme does not only apply to second-level domains, but to any subdomains. A script under can note the following statement:document.domain = 'de.example.org';
This allows access e.g. from and all other domains that end with.
One problem is opening new windows with. This method is misused to create so-called Popup window (short: Popups) to open with advertisements that pop up automatically and undesirably. The uncontrolled opening of windows not only annoys users, but is also a security problem because it can paralyze the browser or even cause it to crash.
However, if you open a window in response to user input (see event handling), the popup blockers usually allow it. For example, you can give an element a handler. A simple example would look like this:<a href="dokument.html" id="popup-link"> Dokument XYZ im eigenen Fenster öffnen </a>
Pop-up blockers try between desired and undesirable To distinguish between pop-up windows. A browser cannot reliably distinguish whether a window is wanted by the user or not. The mentioned criterion of User input (e.g. a mouse click on an element) is only of limited use: Some websites trick the browser into thinking that they would open a "desired" popup window as a reaction to user input by opening an advertising popup when clicking anywhere in the document.
There are no general rules by which the various popup blockers work. To avoid pop-up blockers as far as possible, you should only open windows in event handlers for the event for or elements. The above example illustrates this.
Configure browser restrictions
IE 8: Tools> Popup Blocker> Popup Blocker Settings; Internet Options> Advanced; Internet Options> Security> [Zone]> Scripting / Misc
Internet Explorer has various security zones that are linked to certain settings by default. A normal HTML document on the World Wide Web lies in the Internet zone, a document on the local computer or in the local network in the zone Local intranet.
There are also two zones to which the user can independently add web addresses and network paths: Trustworthy sites and Restricted sites. This allows the user, for example, to select rather restrictive security settings for the Internet zone, which can then be relaxed for certain pages.
Cross-Site Scripting (XSS)
- How can I make this day count
- Why are there high quality billionaires in America?
- To what extent does mercury become toxic
- The Democrats are slowly wearing down Trump
- How do investors buy and sell stocks
- When will Upsc announce the results of the 2016 preliminary round
- What is your strongest and most controversial belief
- Why can't humans rule themselves?
- How bad was Reinhardt Heydrich
- What is the use of my data on an iPhone
- Has Yo Yo Ma gone to Harvard
- Who's Afraid of RTI
- Which is the best pregnancy app
- How does Spring 4 compare to JavaFX
- What are the types of fibrous foods
- How should you think about happiness
- How did Abraham Lincoln influence others
- How is CDAC Noida for the DMC
- Scientists have emotions
- Why would someone bully me
- What are the pitfalls of human intuition
- Can psychology become a hard science
- What is the solubility of potassium nitrate
- What should Muslims avoid in India