3

I have a system that's responsible for distributing jobs to a group of browsers running on different machines. Each browser reloads a page waiting for jobs to come in.

One thing each job does is to make a cross-domain JSONP request to a local server running on the local machine in order to get some information from the system. This works in every browser I've tried except for Opera.

Here's the jQuery code that I'm using to make the request:

$.ajax({
  url: "http://10.20.30.40:8000/...",
  dataType: "jsonp",
  data: someData
  success: function(data) { ... }
});

The 10.20.30.40 host is the local IP address, identifying a local server running on the machine with the browser. The page which is making this request is loaded from a domain name like blah.internal.example.com which is visible to all the machines inside our network.

The first such request made from Opera (I'm using 12.02) succeeds. However, subsequent requests made in the same way are never actually made. They don't show up in the network tab of the inspector. In the console, a message is displayed saying Linked script not loaded.

I believe that this message (and the lack of a request) is triggered by Opera's Cross-Network Security, which is described in this blog post. On Stackexchange, this answer suggests a workaround, but it requires user interaction. For my use case, the browsers are started, stopped, and run by a script, so user interaction isn't an option.

Is there a way to disable this cross-network security in Opera completely, or for pages loaded from a particular "trusted" host? I need a change that I can make in the preferences or opera:config that will be sticky across sessions. (All of these computers are running on an internal network on internally controlled pages, so I'm not worried about cross-network attacks.)

Community
  • 1
  • 1
Sean McB
  • 43
  • 1
  • 5
  • I forgot to mention that [this forum post](http://my.opera.com/community/forums/topic.dml?id=1459072) seems to identify the same issue that I'm having. – Sean McB Sep 19 '12 at 00:30

2 Answers2

2

Why bother with JSONP, if you can use CORS in Opera 12+ (and every other browser, even IE8)? It works like charm.

Just don't forget to add required Access-Control-Allow-* headers to your local server.

More info at Opera dev network: http://dev.opera.com/articles/view/dom-access-control-using-cross-origin-resource-sharing/

c69
  • 19,951
  • 7
  • 52
  • 82
  • 1
    Unfortunately, the CORS header doesn't help at all in this case. (I just tested it.) The problem is not cross-domain security, but Opera's special "cross-network" security, which seems to be triggered regardless of the CORS settings. – Sean McB Sep 19 '12 at 18:04
  • This observation is correct - we're considering making cross-network security defer to CORS (which would let you work around it for your use case) but this isn't implemented yet. – hallvors Sep 20 '12 at 07:32
  • @SeanMcB in that case your only choice is pick Hallvor's solution (if you don't mind the _side effects_) and wait for CORS fix.. – c69 Sep 20 '12 at 11:18
  • I think making this type of security defer to CORS would make a lot of sense. Having a consistent way of disabling it when it's not wanted would be helpful. Also, it needs better error messages when this protection is triggered in the console. It took me more than a day just to figure out what was going on! :) – Sean McB Sep 20 '12 at 15:54
0

Try disabling the security feature entirely in opera:config#Cross%20Network (seems SO won't let me link to that..)

Naturally, if you have disabled a security feature you should surf cautiously ever after.. ;-)

hallvors
  • 6,069
  • 1
  • 25
  • 43
  • I tried enabling the "Allow cross-network navigation" setting in opera:config, but that didn't have an effect either. Apparently navigation is a different than programmatically accessing a url repeatedly via JS? – Sean McB Sep 20 '12 at 15:50
  • Jeremy Forrester recommended on Twitter that I try adding the local domain to a trusted_repositories.ini file, which I'm going to try next week once I'm back from travel. https://twitter.com/jezforrester/status/248535358105600000 – Sean McB Sep 20 '12 at 15:52
  • Hm.. I would certainly expect the pref to work so it seems we have a bug here. I've seen a bug report that looks relevant, don't remember its number right now. – hallvors Sep 21 '12 at 07:51
  • (CORE-47183 in Opera's closed bug tracker, it was just fixed so in some future version..) – hallvors Sep 21 '12 at 13:18
  • Thanks for the info on that! Any idea when that fix might land in a release version? – Sean McB Sep 24 '12 at 18:24
  • It probably misses 12.10 (unless Desktop upgrades core to Presto/2.12.392 or greater, very unlikely when we're already near beta stage). So a more likely bet is whatever we release next.. – hallvors Sep 26 '12 at 09:24