Html – Work around for the same origin policy problem

htmlsame-origin-policysecurity

I have a problem where I have a frameset consisting of a parent frame loaded from one domain and a contained frame from a different domain. The contained domain also sets a cookie before the frameset is loaded. However, because of the 'same orgin' policy, enforced by most browsers, a contained frame will not pass cookies if it is not from the same domain as the parent.

Unfortunately I have no control over the parent frame (or its url) and the url for the contained frame is effectively static. So the only way to pass information to the contained site is via cookies.

The only solution I have come up with is to reload the contained domain in the parent frame but this negates some of the value of using frames in the first place.

Does anyone have a better work around for this problem?

Best Solution

There are a couple of methods of getting around the Same Origin Policy that is preventing your iframes from speaking to each other. If you control both servers then you can use Flash's crossdomain.xml file. If you don't control one of the servers or you would like to use JavaScript, then you are forced to use a "Cross-Domain Proxy", such as this one for java or python or php.

Cross-Site XHR is another option but it isn't supported by all browsers.