Internet Explorer Javascript Access Document Cross Domain/disable Same Origin setting

3
votes

I have an intranet site kiosk that needs to open up a popup to another website at a different domain. I want to be able to know whether they are actively working with that popup, and if not, close it after a time period.

I need to access the popup.document after window.open JS command. Due to cross domain protection and same origin policy I cannot.

Google chrome can turn this off explicitly with the flag --disable-web-security. I've tried using The Answer here but it doesn't seem to work. I get "Access Denied" when debugging in visual studio. Currently using IE10.

TL;DR How can I access a popup document object opened with javascript window.open and disable IE10's same origin policy explicitly for a trusted site.

I do not have access to modify anything on the other sites server, it is a partnership site. Also, I have tried going into the security tab and turning off protected mode and enabling all the settings (disabling Xss filter) for internet/intranet/trusted sites. It does not work.

Nobody is reading this question. I DO NOT HAVE ACCESS CHANGE THE OTHER SITE the two that are being voted up both assume I do. If I could change the other site, this would be easy. This is a browser security setting question.

3
javascriptinternet-explorer-10same-origin-policy
Do you control the remote site?Pekka
You can disable that in the Security tab in Internet Options. However, it's a very bad idea.SLaks
We are in partnership with the remote site, and all our services go through it, but cannot modify it.DFTR

3 Answers

1
votes

Assuming that you have control over the other site, I would suggest using the concept of JSONP i.e.

While opening the new window, pass the name of a randomSessionKey

i.e. var skeyval=Math.random()*100000; window.open("otherdomain.com?rsKey="+skeyval,"mywindow");

after the above execution, use JSONP to continously check the value of skeyval using JSONP (pointing to the remote domain).

In your remote site, whenever there is a user interaction, i.e. click, keypress, ... update the status of the randomly generated session key identified by "rsKey" parameter with status text for eg: active, idle.

1
votes

http://blog.cakemail.com/the-iframe-cross-domain-policy-problem/

Using an embeded iframe to the remote site is the simplest solution. This article mentions some IE specific js functions.

0
votes

There is a small exception in the same-origin policy for JSONP, such that you can have the client side call an external JSON API, but not their PayPal account using their cookies. It's a nice, secure little loophole for exactly this kind of situation.

You could use this to communicate between your site and the remote site (assuming you have control over the remote site, if you don't you're basically out of luck). Your server can send requests to the remote site for the status of a certain user, and the remote site can update that user's status each time they provide input. If your site queries the remote site and the remote site is idle, you can have the remote window close (easiest if you're using an iframe, partial view, or something similar).