1

This SO post lists numerous ways to circumvent this poilicy.

However, I can't tell if any of these are applicable to when you don't have access to the second origin.

Particularly this one, 3rd answer down, you insert a script that calls a script form the second origin.

<script src="http://..../someData.js?callback=some_func"/>

But in general do any of these methods allow circumvention when you are on origin one...and need access to origin two?

Community
  • 1
  • 1
CS_2013
  • 1,158
  • 3
  • 13
  • 24

3 Answers3

2

Obviously this can't be possible, otherwise the policy would be useless. It's all about preventing you from pulling data from a third host, which is exactly what you are trying to do.

Note that browsers have no notion of what is part of the "private" local network and what is part of the "public" global internet. So this policy exists to prevent arbitrary Javascript code from accessing resources on your local network.

Niklas B.
  • 92,950
  • 18
  • 194
  • 224
  • I can do this through a server...file_get_contents()..using my server...don't see the big difference? – CS_2013 May 21 '12 at 21:35
  • @CS_2013: The difference is that your server cannot access resources on the client's local network. – Niklas B. May 21 '12 at 21:35
  • ??If a human can request a page and do a view ->page_source....why can't my .js file do essentially the same thing? – CS_2013 May 21 '12 at 21:38
  • @CS_2013: it's all about protecting resources on the client's local network. Noone can force you to manually load a page and copy&paste the source into another page which you trust, but sure as hell you don't want that to work automatically! – Niklas B. May 21 '12 at 21:40
  • 1
    @JosephtheDreamer: No, that is NOT the main idea. If someone manages to XSS you, you have bigger problems than that! The idea is for example that arbitrary web pages can't just access your internal mail server. – Niklas B. May 21 '12 at 21:41
  • Reposted from different angle: http://stackoverflow.com/questions/10693518/is-there-a-javascript-way-to-do-file-get-contents – CS_2013 May 21 '12 at 22:54
  • @CS_2013: I thought you were away of the proxying option? – Niklas B. May 21 '12 at 23:11
2

Yes, you can circumvent the Same Origin Policy without controlling the second server, but you can't do it without the cooperation of the owner of the second server. Often, as in your example, this is done by cooperating with the JSONP conventions. There is no other way of doing this without proxying the requests to the second server through the first.

lonesomeday
  • 233,373
  • 50
  • 316
  • 318
  • So all the examples above are coopertive answers...I just assumed that if a human user can download a page and then click view->source...my script should have the same capabilities...I just want to read the DOM with out having to hit my server...seems very inefficient. – CS_2013 May 21 '12 at 21:40
  • @CS_2013: Let's say your company has an internal IMAP server which for some reason uses host-based authentication. Now if it weren't for the SOP, an arbitrary website could just execute Javascript that would connect to that mail server, send a HTTP request that can also be interpreted as a chain of IMAP commands and get back your emails. – Niklas B. May 21 '12 at 21:46
  • And my server can't do that using file_get_contents (php)? – CS_2013 May 21 '12 at 21:53
  • @CS_2013: No, because it obviously doesn't have access to the client's internal network. – Niklas B. May 21 '12 at 21:56
  • Then we are talking about different things...b.c. if I can't client side process the data I need I'm going to server-side process it using file_get_contents – CS_2013 May 21 '12 at 22:28
  • Re-posted from different angle: http://stackoverflow.com/questions/10693518/is-there-a-javascript-way-to-do-file-get-contents – CS_2013 May 21 '12 at 22:53
0

NO, that's the entire point. The SOP can be turned off only if the server specifically allows it thru either CORS or something like JSONP.

Inserting scriptlets is an attack (regardless of if your intentions are good). If I owned a domain and someone did that, they would be banned and reported to the authorities.

The closest you can come is to use server side proxy (i.e. have your js make requests your server, which in turn makes requests to the third party).

hvgotcodes
  • 118,147
  • 33
  • 203
  • 236