Stack Overflow
Stack Overflow

Questions tagged [cross-site]

Cross-site means the interaction cross separate domains of authority.

246 questions
120
votes
5 answers

What is the difference between CORS and CSPs?

From my perspective, the technologies referred to as Cross-Origin Resource Sharing (CORS) and Content Security Policies (CSPs) seem to be very similar in purpose and implementation. Both seem to allow you to whitelist the origins of resources which…
nickform
  • 1,573
  • 2
  • 12
  • 18
68
votes
18 answers

Setting cross-domain cookies in Safari

I have to call domain A.com (which sets the cookies with http) from domain B.com. All I do on domain B.com is (javascript): var head = document.getElementsByTagName("head")[0]; var script = document.createElement("script"); script.src =…
Luca Matteis
  • 29,161
  • 19
  • 114
  • 169
52
votes
4 answers

Cookie “PHPSESSID” will be soon treated as cross-site cookie against because the scheme does not match

I've just noticed my console is littered with this warning, appearing for every single linked resource. This includes all referenced CSS files, javascript files, SVG images, and even URLs from ajax calls (which respond in JSON). But not images. The…
Digital Ninja
  • 3,415
  • 5
  • 26
  • 51
27
votes
2 answers

Why is cross-domain JSONP safe, but cross-domainJSON not?

I'm having trouble connecting some dots having recently learned of JSONP. Here's my understanding: Cross-domain XmlHttpRequests for any content (including JSON) is banned, due to the same origin policy. This protects against XSRF. You are permitted…
snappieT
  • 544
  • 6
  • 16
22
votes
2 answers

angularjs + cross-site scripting preventing

Is Angularjs takes care of XSS attack. I have read that ng-bind takes care. But When i try to do a sample to test that, it allows me to insert html tags in input type with ng-model...it didn't escape the Html tags. I have lot of input element in…
dav10
  • 263
  • 1
  • 3
  • 8
14
votes
1 answer

A cookie associated with a cross-site resource was set without the `SameSite` attribute

Chrome is giving me the following warning: A cookie associated with a cross-site resource at http://quilljs.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are…
Hooman Bahreini
  • 14,480
  • 11
  • 70
  • 137
12
votes
2 answers

Samesite cookie but allow specific domain

I would like to secure my cookies using SameSite=strict. But is there a way to allow it to be accessed by few domains alone?
JC Raja
  • 5,597
  • 2
  • 18
  • 10
10
votes
5 answers

Error: AADSTS50058: A silent sign-in request was sent but no user is signed in - Angular ADAL authentication issue in mobile safari browser

We have a site developed using Angular 7 and it uses Adal-Angular4 library for Azure Active Directoty authentication. When the site is browsed in safari on iPhone, it runs into below error. Error: AADSTS50058: A silent sign-in request was sent but…
skATsof
  • 191
  • 1
  • 1
  • 10
10
votes
3 answers

google maps - Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at

I am using google maps api and on the page I have this now, because of this, as you can see in this…
dav
  • 8,931
  • 15
  • 76
  • 140
10
votes
2 answers

Python Flask cross site HTTP POST - doesn't work for specific allowed origins

I'm trying to get Flask to handle cross-site scripting properly. I've taken the crossdomain decorator snippet from here: http://flask.pocoo.org/snippets/56/ In the code below, I've put the decorator snippet and the basic flask server. I'm calling…
Nate
  • 2,940
  • 3
  • 22
  • 24
8
votes
1 answer

CORS policy with Google Storage allows from my origin, but no 'Access-Control-Allow-Origin' header is present

I'm new to CORS configuration and trying to figure this out, but my set up looks like it is right according to the documentation. I'm hoping you can help me see what I've missed. My code is trying to upload (PUT) a file directly to google storage…
Kenny Wyland
  • 20,844
  • 26
  • 117
  • 229
8
votes
4 answers

ASP.NET Core CORS request blocked; why doesn't my API apply the right headers?

Trying to set up CORS with authentication. I have a Web API site up at http://localhost:61000 and a consuming web application up at http://localhost:62000. In the Web API Startup.cs, I have: public void ConfigureServices(IServiceCollection…
Patrick Szalapski
  • 8,738
  • 11
  • 67
  • 129
7
votes
2 answers

how to protect location.href from cross site scripting in javascript?

Here in my javascript function im using location.href as follows location.href = "../Floder1/result.jsp"; it is working fine but when i used fortify tool it is showing Cross-site Scripting which can result in the browser executing malicious code.…
tajMahal
  • 418
  • 6
  • 18
  • 40
7
votes
3 answers

Customise Tumblr's *new* Like Button iFrame {LikeButton}

The new code from tumblr {LikeButton} comes with a very few options: color and size. It injects an iFrame, which handles the "Like" functionality and provides SVG graphics. However because of the iframe and cross site scripting policies, it is no…
Graham P Heath
  • 7,009
  • 3
  • 31
  • 45
7
votes
2 answers

MVC AntiForgeryToken reused previous generated tokens

currently i'm working on ASP .NET MVC 4 application. We are using the provided [ValidateAntiForgeryToken] and the corresponding @Html.AntiForgeryToken() to generate the hidden field in our forms which are submitted using POST. So far the mechanism…
jcgarciam
  • 392
  • 5
  • 12
1
2 3
16 17