How can I sandbox untrusted user-submitted JavaScript content?

Create a well defined message interface and use JavaScript Web Worker for the code you want to sandbox. HTML5 Web Workers Web Workers do not have access to the following DOM objects. The window object The document object The parent object So they can’t redirect your page or alter data on it. You can create … Read more

Can I disable SOP (Same Origin Policy) on any browser for development?

UPDATE 6/2012: This used to work at the time of the writing, but obviously no more. Sorry. In Firefox (might apply to other Gecko-based browsers as well) you can use the following JavaScript snippet to allow cross-domain calls: if (navigator.userAgent.indexOf(“Firefox”) != -1) { try { netscape.security.PrivilegeManager.enablePrivilege(“UniversalBrowserRead”); } catch (e) { alert(“Permission UniversalBrowserRead denied — not … Read more

Using iframe with local files in Chrome

I’m sorry to say you that I’ve tried during weeks to solve this issue (I needed it for a project) and my conclusion is that it’s not possible. There are a lot of problems arround local access through javascript with chrome, and some of them can be solved using –allow-file-access-from-files and –disable-web-security, including some HTML5 … Read more

How do I use Access-Control-Allow-Origin? Does it just go in between the html head tags?

There are 3 ways to allow cross domain origin (excluding jsonp): Set the header in the page directly using a templating language like PHP. Keep in mind there can be no HTML before your header or it will fail. Modify the server configuration file (apache.conf) and add this line. Note that “*” represents allow all. … Read more

How to disable same origin policy Internet Explorer

Yes you can set this in Internet Options: Go to the Security tab. For the current zone click the “Custom level…” button. In the next window, scroll about a third of the way down to “Miscellaneous > Access data sources across domains” and set it to “Enable”. If the current zone is Internet, then you … Read more

Why is there no preflight in CORS for POST requests with standard content-type

See What is the motivation behind the introduction of preflight CORS requests?. The reason CORS doesn’t require browsers to do a preflight for application/x-www-form-urlencoded, multipart/form-data, or text/plain content types is that if it did, that’d make CORS more restrictive than what browsers have already always allowed (and it’s not the intent of CORS to put … Read more