6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"understanding JavaScript security model\",\"text\":\"

Why is it that I can submit a form to an iframe with a cross-domain address but can't send an XMLHTTPRequest to that address?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"MK.\"},\"upvoteCount\":2,\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

For the very simple reason that your code doesn't get to see the result of the iframe post. Your script will be denied access to the iframe's DOM.

\\n\\n

And keep in mind this is really the browser's security model, not JavaScript's.

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"bhamlin\"},\"upvoteCount\":4}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","javascript",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/javascript/1","children":"javascript"}]}],["$","span","cross-domain",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/cross-domain/1","children":"cross-domain"}]}],["$","span","security",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/security/1","children":"security"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://i.sstatic.net/1bC0L.png?s=256","alt":"MK.","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/68105/mk","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"MK."}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",34527]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"understanding JavaScript security model"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

Why is it that I can submit a form to an iframe with a cross-domain address but can't send an XMLHTTPRequest to that address?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",2]}],["$","p",null,{"children":["Views: ",322]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","13060417",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/2558ec567b04d8690bcde28e4b60807a?s=256&d=identicon&r=PG","alt":"bhamlin","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/343531/bhamlin","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"bhamlin"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",5187]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

For the very simple reason that your code doesn't get to see the result of the iframe post. Your script will be denied access to the iframe's DOM.

\n\n

And keep in mind this is really the browser's security model, not JavaScript's.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",4]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","50283130",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/50283130","className":"text-blue-600 hover:underline","children":"Javascript Security"}]}],["$","li","27150341",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/27150341","className":"text-blue-600 hover:underline","children":"How does XSS Work - Especially when we have cross domain security?"}]}],["$","li","7364881",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/7364881","className":"text-blue-600 hover:underline","children":"How secure is the "same origin policy"?"}]}],["$","li","12282186",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/12282186","className":"text-blue-600 hover:underline","children":"Security in JavaScript Code"}]}],["$","li","8086872",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/8086872","className":"text-blue-600 hover:underline","children":"How can JavaScript get data from a user's computer?"}]}],["$","li","1244182",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1244182","className":"text-blue-600 hover:underline","children":"Cross-domain data access in JavaScript"}]}],["$","li","4520118",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/4520118","className":"text-blue-600 hover:underline","children":"What harm can javascript do?"}]}],["$","li","4060867",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/4060867","className":"text-blue-600 hover:underline","children":"How can I design a javascript API that allows for cross-domain scripting securely?"}]}],["$","li","1826893",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1826893","className":"text-blue-600 hover:underline","children":"Javascript security / cross scripting on same server"}]}],["$","li","1192716",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/1192716","className":"text-blue-600 hover:underline","children":"Javascript same origin security issue"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

understanding JavaScript security model

Answers (1)

Related Questions