Cross Site Scripting

time to read 1 min | 197 words

So I had to do it today, I had two pages, in two unrelated domains ( and and I had to open a page from one and interact with it. Security constraints disallow this, unfortantely. There are all sorts of ways around it, mostly focusing on proxies, but I didn't want to get into that for a simple page, so I decided to write my own stupid method to do it.

From, the calling page:

var url = ""&onCloseRedirectTo=" + 
		encodeURIComponent(window.location.href + 
"&returnUrl="+ encodeURIComponent(window.location.href) );;

And using JS injection for the called page (I have some limited control there), I put:

	var oldClose = window.close;
	window.close = function()
		if(window.opener && window.returnValue )
			var url = decodeURIComponent($.getURLParam('onCloseRedirectTo')) + 
							"&idToAdd=" + window.returnValue;
			window.opener.location.href = url;

And voila, it works. I'll leave the how as an excersize for the reader. Suffice to say that if you want to add a local iframe to the mix you can even get it to work in an "ajaxian" fashion.