Jquery iframe transport plugin works on IE10 cross Domain

Asked

Viewed 244 times

6

I need to post xml using Federal Justice webservices, but I can only do it using IE10 in compatibility mode. I received the information that the jquery iframe transport plugin would overcome this difficulty. This is real or should I match my site and the justice site by CORS ?

  • I couldn’t find any documentation on how this service works. If you can give some data about how this transfer happens (ajax, postmessage, plugins, etc.) it would be easier to answer the question.

  • The most appropriate solution for you to take this data and make it available on your site is to work with a kind of tuning on your server, where you communicate your server directly with the host server and transmit the manipulated information to the client. This way will not infringe CORS and will be compatible with all browsers that do not show security fault.

2 answers

1

Upload data via IFRAME to circumvent CORS when there is no possibility of a JSONP, it is a frivolous solution. In the specification browsers must block this type of feature allowing only if the site containing Javascript send via postMessage and interpret messages sent to him in isolation.

If this is not the case, you will be exploiting a security flaw that some browsers may have, so the trend is that these faults are suppressed and your system crashes. Whether by updating in the browser, security plugins or anti-virus integrated into the client’s browser.

A suitable solution to give information coming from another site that does not have this data directly client to client, is to use a server to do a tuning, how it works:

  1. Your client makes a request to your server
  2. Your server modifies the request including data such as API_KEY, cookies, etc needed to communicate with the target web service
  3. It sends and captures the answer from the webservice
  4. Handles the response and sends back to your customer the data whether raw or processed

The service can be expanded to a web service without problem, as long as your server treats the data correctly to send to the site that holds the desired information.

  • When I spoke plugins I imagined Flash: it is possible that the server uses crossdomain.xml but not CORS. Tunilamento would not cause any legal problem not? I have never seen it (or similar) with good eyes.

  • For flash is also limited the use of CORS for the same reasons of browser security, if you succeed, you will be exploiting a failure in the user’s flash. This solution of using a server to do tuning is in no way illegal as long as it does not infringe the rules of the webservice you are using, such as request numbers, a user’s encrypted data, etc. It is good to make clear on the page how your user’s data will be used and recurrence of the use of the web service to which such data will be transposed.

  • The use of crossdomain.xml does not constitute a fault, since it was created for the same purpose of CORS. As for tuning it was good to know that.

  • It is a security failure when you "cheat" the crossdomain.xml of another site. Or the header of the same that informs the allowed-origin (most current).

  • I did not mean to circumvent the crossdomain but to a server that supports it but not CORS. What led me to this idea was the fact that he was using XML.

0

Browser other questions tagged

You are not signed in. Login or sign up in order to post.