Tuesday, August 7th, 2007

Cross domain JavaScript via DNS

Category: JavaScript, Security

Alex Pooley has written up his thoughts on cross domain JavaScript via DNS. Alex builds on the document.domain fun:

The Problem
From a naive perspective, it is not possible for a web page from domain D, to access a URL from another domain E due to security considerations. Several workarounds have been developed, namely the remote script technique. All existing workarounds suffer from significant limitations, such as the unhampered ability to read and write between two different domains.

The Short
Say domain D wants to connect to domain E. In a nutshell, the trick is to use DNS to point a sub-domain of D, D_s, to E’s server. In doing so, D_s takes on the characteristics of E, while also being accessible to D.

Posted by Dion Almaer at 9:29 am

2.9 rating from 18 votes


Comments feed TrackBack URI

This technique seems to require that JavaScript allow passing of information between subdomains. In my experience, Javascript currently doesn’t allow for this to happen. You can’t have x.example.com open an iframe with y.example.com and pass data both ways. (If I’m wrong and there is a way for this to be done, I’d be very interested in it as it would simplify a project I’m working on.)

Comment by Jason Levine — August 7, 2007


Check out Abe Fettig’s article on the topic. It’s definitely a step in the right direction!


Comment by Frank — August 7, 2007

This has been used forever in custom advertising relationships (which also avoids new browsers from disabling cookies from third parties).

Comment by Steven — August 7, 2007

Jason you also can use a folder…
exemple :
http://www.mydomain.com access to http://www.google.com via http://www.mydomain.com/domain

I use this and it work really good.
I use apache reverse-proxy and cookies are also transmited :)

Comment by iDo — August 8, 2007

I am wondering how Google analytics make this? They doing for sure because what they do is only contain an Javascript include and an Javascript function and that’s it. After this they collect thatever they can – and they do this. :)

Comment by Nik Chankov — August 8, 2007

They just use an img to track analytics which are sent as request parameters to that gif.

Comment by Kishore Senji — August 8, 2007

Leave a comment

You must be logged in to post a comment.