Cross-domain Access

At its simplest, cross-domain access involves getting data from one web site and displaying it within a page from a different web site.

In more complex scenarios, it involves constructing business process that both read and update data on different web sites including sensitive data that may be tied to the specific user who is performing the transaction.

Example: A page served from site A displays information about a cause.

  • Site A asks for the user's name and address and then retrieves the name of the user's legislators from site B and displays that information.
  • If the user chooses to send a letter, Site A passes the information to site B, where the letter is actually sent.
  • Site B responds with an acknowledgment message or error messages if the letter could not be sent, and site A displays that information.

Cross-domain access can be difficult to manage because it must be handled securely. When a request comes to site B from a page on site A, it looks to site B as if it came directly from the browser of the user accessing site A. The content from a web server is a mixture of instructional code (e.g. JavaScript) and data (e.g. HTML content). If the browser gave different sites access to each other's content, a malicious site could steal or manipulate data purportedly coming from a trusted site. To prevent this, web browsers enforce a "same origin" policy:

  • The "same origin" policy is a limitation in all browsers that prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin".
  • "Origin" means the combination of domain, protocol (HTTP or HTTPS) and port, so it applies to content that is from the same domain but some is served securely and some is not.
  • This policy prevents hostile code from one site from "taking over" or manipulating documents from another. Without it, JavaScript from a hostile site could do any number of undesirable things such as snoop key presses while a user logs in to a site in a different window, hijack a session with the user's online banking site and insert spurious transactions, steal login cookies from other domains, and so on.

Luminate Online API methods support the W3C Cross-Origin Resource Sharing (CORS) specification for client-side cross-origin requests. You must white-list any allowed origins for cross-origin requests in your site configuration.

Leave a Comment

Nickname
Comment
Enter this word: