A new way to break the x-origin policy in scripts allocated in different domains.
Switch branches/tags
Nothing to show
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
problem
solution
README.md

README.md

CORSET

This is a method to break the Cross-domain policy with 'script' tags.

Maybe some people can say that the script tag is not under the Cross-domain policy, and this will be almost right.

The problem was to log uncaught errors with Hermes.js when the scripts are in different domains (subdomains, CDN...)

Problem definition in stackoverflow

Please be carefull with this and only use it under your responsability.

How to test problem:

  • Use files in 'problem' folder.
  • Put 'test.js' file in one external domain or simulate it with a proxy, Fiddler...
  • Put 'problem.html' in your localhost server.
  • Open 'problem.html' url in your localhost server.
  • Check the console and you will see one line with the 'Script Error' in line number 0.

How to test solution:

  • Use files in 'solution' folder.
  • Put 'test.js' file in one external domain or simulate it with a proxy, Fiddler...
  • Put 'iframeXOrigin.html' file in the same external domain where 'test.js' file or simulate it with a proxy, Fiddler...
  • Put 'XOrigin.html' in your localhost server.
  • Open 'XOrigin.html' url in your localhost server.
  • Check the console and you will see that the 'Script Error' in line number 0 doesn't exist anymore and you will see instead an Hermes uncaught error type with file url and line number where the error exist.

Do you want to collaborate?

All constructive comments are welcome. I promise I will answer everyone.

Agreements

Thanks to Manuel Flara to notice me about this issue.