Access-Control-Allow-Origin (CORS) and the ordinary page DOM

[Ivan Yosifov]

Hi all, 

I'm trying to build a web mashup consisting of a host page and a "captive" page from different origins, with the host page freely accessing the dom of the captive page, but not vice versa. Normally the same origin policy prevents any access. 

I tried having the server of the captive page put eg. "Access-Control-Allow-Origin: *" in the HTTP headers of all replies and it's still not working. My question is, does the Access-Control-Allow-Origin header apply at all to ordinary page DOM trees, or is it just for XmlHttpRequest objects?

Thanks,

Ivan

[PhistucK]

X

​MLHttpRequest and other CORS based requests (images, videos, fonts in some browsers).​

CORS cannot grant any access to scripting contexts, as far as I know.

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium HTML5" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-html...@chromium.org.
To post to this group, send email to chromiu...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-html5/?hl=en.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
 
 

[Ivan Yosifov]

Well, my test seems to confirm this, I was hoping the test is buggy. 

Could CORS be implemented to cover normal DOM trees? This doesn't seem to be contrary to the W3C specification and makes sense to me. 

[Roland Hess]

Are you trying to build this mashup as a generally available web page, or just something for your own use, say as an App? If you are planning to do this only within Chrome/Chromium, you can build an Extension (pretty easy to do) that retrieves this content for you. Extensions aren't subject to the CORS restrictions (see linked site below). Allowing cross-site HTML capture in a generally available browser is a clear vector to on-the-fly website spoofing. If you build this tech as an extension, a reasonable way to do so would be to include an Options page for the extension that lets you whitelist the domains and/or exact pages you would like to allow cross-origin access to. This means that the user has to take explicit action to allow this, so they are at least informed. Please watch the security concerns in the link below about how you handle that content.

See this page:

https://developer.chrome.com/extensions/xhr.html

Cheers

[Ivan Yosifov]

Thanks for the pointer. The mashup is for internal use, only Chrome/Chromium support is fine for the meantime. The mashup is a browser-in-the-browser of sorts. The host page contains some tools and information to help the user process the "captive" page,  which is expected to otherwise function like a normal iframe (including link navigation and loaded resources), so I want to load it with iframe.src=.... and let the browser do all the work from there.

I only suggest that access be allowed to the DOM of pages that set the Access-Control-Allow-Origin header to a proper value, not in general. I don't want the effect of running chrome with --disable-web-security. It just seems to me, that if a page explicitly indicates it's ok to access it cross-domain with eg. XHR, cross-domain DOM access should be allowed too.