1

I've been trying to access different domains from my JavaScript ( to pull the page title ) but can not b.c. of the same-origin policy.

What I realized is that JavaScript "installed" into the browser via bookmarklets is not restrained by this policy.

This got me to wondering how security is kept...for example delicious bookmarklets...I can just modify them and start ajaxing delicous.com...I don't plan on doing this but likewise someone could do this to a bookmarklet that I create.

How do you create security here?

Do some sites allow public access via ajax?

1 Answers1

2

As far as the server is concerned, there is no such thing as AJAX. AJAX requests are just HTTP requests like any other.

The restriction of cross domain AJAX is done by the browser for the sake of avoiding cross site scripting attacks (you wouldn't want a third party ad to have access to your Stack Overflow session data and be able to ship that somewhere else, would you?).

The browser (apparently) does not limit "bookmarklets" in the same way. If you decided to put a bit of script into a bookmark, I guess the browser is perfectly happy to execute it.

JAAulde
  • 19,250
  • 5
  • 52
  • 63
  • OP is wrong. Bookmarklets are restricted just the same as script included in the page. He is probably getting confused by the use of things like JSONP by certain bookmarklets to get around same origin restrictions (in a very limited way). – DG. May 27 '12 at 01:47
  • @DG - Yeah, I figured but wasn't sure and didn't have time to test. That's why I used the word "apparently" in parenthesis. That said, different browsers may treat this a little differently than others, and it doesn't change the fact that none of these restrictions are handled server side. All this being the case, if you're the one who down-voted my answer, I don't think that was appropriate. – JAAulde May 27 '12 at 03:23
  • Your answer had a blatant and potentially very misleading factual error in it but 3 upvotes. I felt a downvote was a necessary correcting action. It's not like I pushed you into negative territory. Had you said "The browser possibly (but I haven't tested) does not limit...", I would not have downvoted. Edit your answer appropriately and I'll remove the downvote. FYI, it costs points to downvote, so I don't do it lightly. – DG. May 30 '12 at 02:09
  • @HiroProtagonist regarding "I upvoted...Never downvoted any one's post....I pretend I'm on Facebook and there are only upvotes".. IMHO, this is a wrong way of thinking. The point of SO is to be a non-nonsense useful resource for software developers, not a place to praise your mom for her cookies. Carefully applied, downvotes can help improve the quality of SO as a resource. – DG. May 30 '12 at 02:12
  • I'm still confused coming back to this...b.c. I'm pretty sure bookmarklets can access another page's DOM...this is how bookmarking bookmarkelets work....at quick glance of one, they access `document.title` from whatever page they you "use" the bookmarklet on. However, if I am not using a bookmarklet, then I don't have access to another page's DOM like this. –  Sep 07 '12 at 12:52