What is Scripting:
Scripting languages like JavaScript and VBScript that can be embeded in HTML files give enormous oportunities
for making web pages dynamic and interactive and user friendly. They make web pages responsive by allowing
a part of the job to be done at the browser before doing a round trip to the server. They also allow HTML
interface to provide a rich and dynamic user interace similar to what we get with applications built with
Visual Basic, MFC and the likes. You can dynamically hide or display portions of the screen, create new
elements on the fly, modify text, populate text, interact with other embeded components like Java Applets and
ActiveX objects. Objects embeded in HTML and HTML elements are accessed though the DOM.
What is DOM:
DOM stands for "Document Object Model". That is a kind of tree data structure that the
browser builds out of a HTML page. HTML is very similar to XML (though less strict), and can be parsed
into well formed tree with nested elements and attributes. This parsed representation, called as DOM, is
easy to access and program.
What is Cross Domain Scripting:
HTML pages can be obtained from different web servers using different URLs. For example, Yahoo Mail can
be accessed through http://mail.yahoo.com/ and HotMail through http://www.hotmail.com/. The web servers
serving them are on different machines and the machines belong to different network domains. In our
example of yahoo and hotmail, www.hotmail.com is the network domain of HotMail and mail.yahoo.com is the
network domain of Yahoo Mail.
Suppose, you come up with a brilliant idea of creating a portal for internet based mails. The portal will
allow a user to login with a user Id and password and if the user has accounts in both HotMail and Yahoo
with the same user Id and password, your portal will be able to display mails from both the accounts
without the user having to login to each of the mail boxes. So you get a machine to host your portal,
create a network domain called www.allmail.com and start to work on it. You realize that users will not be
comfortable having to supply their mail account user Id and passwords to you, so you must implement all
logic in HTML alone, without storing anything on your server. That implies that the HotMail and Yahoo logins
must happen at the user's browser only and the mails displayed there. Your application can just be the
starting point and all you would get is a small space at the top where you can display your wares and hope
that the user also purchases some of them after reading the mails. Doing all this at the browser will
require quite an amount of heavy duty scripting. You will need to get the user id and password from the
user once from your login screen and then create two frames dynamically - one hosting HotMail and the other
hosting Yahoo Mail. Then you need to push the user Id and password to their login screens and simulate a
click of the login button.
So as you see, this requires that scripts that you supply from your domain (www.allmail.com) have to
interact with HTML from other domains www.hotmail.com and mail.yahoo.com. This is what is referred to as
"Cross Domain Scripting".
What's the issue with that:
Cross domain scripting is a security issue because it can allow a web page downloaded from a malicious
web server to access sensitive data downloaded from another webserver. Imagine that you are browsing your
mails from www.hotmail.com while you went to www.abccasino.com to play some games. Now abccasino is not a
reputed site and somebody there has deployed a clever script on their web page that takes hold of your
hotmail screen and sends all e-mail contents to abccasino.com. One of the e-mails may contain a mail from
your bank that has your credit card statement with your credit card number! So you see, cross domain
scripting is not entirely safe and that's the region why most of the popular browsers have disabled it.
However sometimes you do genuinely need todo cross domain scripting. In the below mentioned paragraphs
we'll discuss how much of cross domain scripting is allowed and how to go about doing it.
Option 1:
This is the easiest and least intrusive way. This is probably the best way to go if you can do with
the restrictions imposed. It is also the most secure way, that follows the rules imposed by the browsers
without trying to work around them. To follow this method:
Ensure that all URLs come from the same parent domain. For example, mail.yahoo.com and quotes.yahoo.com
both come from the same parent domain yahoo.com.
Set the DOM variable document.domain to the parent domain in all your web pages. That is, include
the script snippet <script>document.domain='yahoo.com';</script> in all your pages from both
the domains.
Ensure that all URLs that are called use the full domain name. That is, even if you have the option of
invoking mail.yahoo.com with an alias called yahoomail, don't do that. The browser looks at the literal
domain name that you used in the address bar. Even IP address will not do.
Ensure that all URLs are either HTTP or HTTPS. Mixing is not allowed. That is, a script from a page
invoked using HTTP can not access contents of another page from the same domain invoked using HTTPS, and
vice versa.
Option 2:
Using HTA. HTA stands for HTML Template Applications, a Microsoft only feature. This featue is
available on machines with IE5+ browsers.
The web server needs to be configured to send HTA files with appropriate mime types.
HTA is not executed in a normal IE window. Rather it throws up a mshta.exe window with the web
pages embeded within.
HTA may not run java applets correctly. Though I haven't explored this fully, I did get a problem
and so did may others if you browse newsgroups.
Option 3:
Signing Javascripts. Basically the js files will have to be put into a jar file and the jar file
should be signed.
Technical Articles