StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POXSS between HTTP and HTTPS versions of the same domain
primarykey
Id
15958934
data
AcceptedAnswerId
16022071
AnswerCount
1
ClosedDate
CommentCount
10
CommunityOwnedDate
CreationDate
2013-04-11T21:11:33.667
FavoriteCount
0
LastActivityDate
2013-04-16T09:18:41.940
LastEditDate
2013-04-11T21:20:11.153
LastEditorUserId
1058733
OwnerUserId
1058733
ParentId
0
PostTypeId
1
Score
1
ViewCount
432
LastEditorDisplayName
text
Body
What I'm trying to accomplish is an inline login using ajax that does the following: <ol> <li>Login link is displayed on an unsecured HTTP page, lets say "<a href="http://www.somedomain.com/somepage/" rel="nofollow">http://www.somedomain.com/somepage/</a>" No login info is collected here</li> <li>When clicked the login link creates an iframe with a src pointing to "<a href="https://www.somedomain.com/rest_api/values/" rel="nofollow">https://www.somedomain.com/rest_api/values/</a>" This is where the login form is first displayed, via HTTPS</li> <li>Within the new iframe popup, the user is presented a login form which itself is secure having been loaded via HTTPS, user fills in form and clicks continue which posts back to itself.</li> <li>Assuming user is logged in successfully a jquery call is made to a script accessible via <code>window.parent.document</code> which updates the original page with the current user widget, and then calls for the iframe to be destroyed.</li> </ol> This works great when I force the iframe to use the same domain and protocol, but as soon as I come in on HTTP and force the IFRAME to load the login script with HTTPS, I get the dreaded "Permission denied to access property 'document'" error in Firebug after a successful login. I understand that the <code>Access-Control-Allow-Origin</code> header needs to be set, so it's dynamically set to use the HTTPS version of what ever domain the page is being requested under, and I've verified this in the Header Response in Firebug on the original page request. So why am I still getting the error, the response header shows: <pre><code>Access-Control-Allow-Origin: https://www.somedomain.com </code></pre> so is there something else I need to set, or is the problem possibly somewhere else? Thanks for any help! <hr> EDIT: Updated above to point out that I am not stupid and that the login form is indeed loaded securely ;)
Tags
<jquery><iframe><https><xss>
Title
XSS between HTTP and HTTPS versions of the same domain
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USoucil
UserOwnerUserId
1. USoucil
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POXSS between HTTP and HTTPS versions of the same domain
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.