DOCSLIB.ORG

The Definitive Guide to HTML5 Websocket // Example Websocket Server

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. Contents at a Glance Foreword ���������������������������������������������������������������������������������������� xiii About the Authors ���������������������������������������������������������������������������� xv About the Technical Reviewer ������������������������������������������������������� xvii Acknowledgments �������������������������������������������������������������������������� xix ■ Chapter 1: Introduction to HTML5 WebSocket �������������������������������� 1 ■ Chapter 2: The WebSocket API ����������������������������������������������������� 13 ■ Chapter 3: The WebSocket Protocol ��������������������������������������������� 33 ■ Chapter 4: Building Instant Messaging and Chat over WebSocket with XMPP ��������������������������������������������������������� 61 ■ Chapter 5: Using Messaging over WebSocket with STOMP ���������� 85 ■ Chapter 6: VNC with the Remote Framebuffer Protocol ������������� 109 ■ Chapter 7: WebSocket Security �������������������������������������������������� 129 ■ Chapter 8: Deployment Considerations �������������������������������������� 149 ■ Appendix A: Inspecting WebSocket Traffic ��������������������������������� 163 ■ Appendix B: WebSocket Resources �������������������������������������������� 177 Index ���������������������������������������������������������������������������������������������� 183 v CHAPTER 1 Introduction to HTML5 WebSocket This book is for anyone who wants to learn how to build real-time web applications. You might say to yourself, “I already do that!” or ask “What does that really mean?” Let’s clarify: this book will show you how to build truly real-time web applications using a revolutionary new and widely supported open industry standard technology called WebSocket, which enables full-duplex, bidirectional communication between your client application and remote servers over the Web—without plugins! Still confused? So were we a few years ago, before we started working with HTML5 WebSocket. In this guide, we’ll explain what you need to know about WebSocket, and why you should be thinking about using WebSocket today. We will show you how to implement a WebSocket client in your web application, create your own WebSocket server, use WebSocket with higher-level protocols like XMPP and STOMP, secure traffic between your client and server, and deploy your WebSocket-based applications. Finally, we will explain why you should be thinking about using WebSocket right now. What is HTML5? First, let’s examine the “HTML5” part of “HTML5 WebSocket.” If you’re already an expert with HTML5, having read, say, Pro HTML5 Programming, and are already developing wonderfully modern and responsive web applications, then feel free to skip this section and read on. But, if you’re new to HTML5, here’s a quick introduction. HTML was originally designed for static, text-based document sharing on the Internet. Over time, as web users and designers wanted more interactivity in their HTML documents, they began enhancing these documents, by adding form functionality and early “portal” type capabilities. Now, these static document collections, or web sites, are more like web applications, based on the principles of rich client/server desktop applications. These web applications are being used on almost any device: laptops, smart phones, tablets—the gamut. HTML5 is designed to make the development of these rich web applications easier, more natural, and more logical, where developers can design and build once, and deploy anywhere. HTML5 makes web applications more usable, as well, as it removes the need for plugins. With HTML5, you now use semantic markup language like <header> instead of <div class="header">. Multimedia is also much easier to code, by using tags like 1 CHAPTER 1 ■ INTRODUCTION TO HTML5 WEBSOCKET <audio> and <video> to pull in and assign the appropriate media type. Additionally, by being semantic, HTML5 is more accessible, since screen readers can more easily read its tags. HTML5 is an umbrella term that covers the large number of improvements and changes happening in web technologies, and includes everything from the markup you use on your web pages to the CSS3 styling, offline and storage, multimedia, connectivity, and so on. Figure 1-1 shows the different HTML5 feature areas. Figure 1-1. HTML5 feature areas (W3C, 2011) There are lots of resources that delve into these areas of HTML5. In this book, we focus on the Connectivity area, namely the WebSocket API and protocol. Let’s take a look at the history of HTML5 connectivity. HTML5 Connectivity The Connectivity area of HTML5 includes technologies like WebSocket, Server-Sent Events, and Cross-Document Messaging. These APIs were included in the HTML5 specification to help simplify some of the areas where browser limitations prevented web application developers from creating the rich behavior they desired or where web application development was becoming overly complex. One example of simplification in HTML5 is Cross-Document Messaging. Before HTML5, communication between browser windows and frames was restricted for security reasons. However, as web applications started to bring together content and applications from different web sites, it became necessary for those applications to communicate with each other. To address this, standards bodies and major browser vendors agreed to support Cross-Document Messaging, which enables secure cross-origin communication across browser windows, tabs, and iFrames. Cross- Document Messaging defines the postMessage API as a standard way to send and receive messages. There are many use cases for consuming content from different hosts and domains—such as mapping, chat, and social networks—to communicate inside the web 2 CHAPTER 1 ■ INTRODUCTION TO HTML5 WEBSOCKET browser. Cross-Document Messaging provides asynchronous messages passing between JavaScript contexts. The HTML5 specification for Cross-Document Messaging also clarifies and refines domain security by introducing the concept of origin, which is defined by a scheme, host, and port. Basically, two URIs are considered from the same origin if and only if they have the same scheme, host and port. The path is not considered in the origin value. The following examples show mismatched schemes, hosts, and ports (and therefore different origins): • https://www.example.com and http://www.example.com • http://www.example.com and http://example.com • http://example.com:8080 and http://example.com:8081 The following examples are URLs of the same origin: http://www.example.com/page1.html and http://www.example.com/page2.html. Cross-Document Messaging overcomes the same-origin limitation by allowing messages to be exchanged between different origins. When you send a message, the sender specifies the receiver’s origin and when you receive a message the sender’s origin is included as part of the message. The origin of the message is provided by the browser and cannot be spoofed. On the receiver’s side, you can decide which messages to process and which to ignore. You can also keep a “white list” and process only messages from documents with trusted origins. Cross-Document Messaging is a great example of where the HTML5 specification simplifies communication between web applications with a very powerful API. However, its focus is limited to communicating across windows, tabs, and iFrames. It does not address the complexities that have become overwhelming in protocol communication, which brings us to WebSocket. Ian Hickson, the lead writer of the HTML5 specification, added what we now call WebSocket to the Communication section of the HTML5 specification. Originally called TCPConnection, WebSocket has evolved into its own independent specification. While WebSocket now lives outside the realm of HTML5, it’s important for achieving real- time connectivity in modern (HTML5-based) web applications. WebSocket is also often discussed as part of the Connectivity area of HTML5. So, why is WebSocket meaningful in today’s Web? Let’s first take a look at older HTTP architectures where protocol communication is significant. Overview of Older HTTP Architectures To understand the significance of WebSocket, let’s first take a look at older architectures, specifically those that use HTTP. HTTP 101 (or rather, HTTP/1.0 and HTTP/1.1) In older architectures, connectivity was handled by HTTP/1.0 and HTTP/1.1. HTTP is a protocol for request-response in a client/server model, where the client (typically a web browser) submits an HTTP request to the server, and the server responds with the 3 CHAPTER 1 ■ INTRODUCTION TO HTML5 WEBSOCKET requested resources, such as an HTML page, as well as additional information about the page. HTTP was also designed for fetching documents; HTTP/1.0 sufficed for a single document request from a server. However, as the Web grew beyond simple document sharing and began to include more interactivity, connectivity needed to be refined to enable quicker response time between the browser request and the server response. In HTTP/1.0, a separate connection was made for every request to the server, which, to say the least, did not scale well. The next revision of HTTP, HTTP/1.1, added reusable connections. With the introduction of reusable connections, browsers could initialize a connection to a web server to retrieve the HTML page, then reuse the same connection to retrieve resources
Recommended publications
  • AJAX Requests CPEN400A - Building Modern Web Applications - Winter 2018-1

    AJAX Requests CPEN400A - Building Modern Web Applications - Winter 2018-1

    What is AJAX XmlHttpRequest Callbacks and Error Handling JSON Lecture 6: AJAX Requests CPEN400A - Building Modern Web Applications - Winter 2018-1 Karthik Pattabiraman The Univerity of British Columbia Department of Electrical and Computer Engineering Vancouver, Canada Thursday, October 17, 2019 What is AJAX XmlHttpRequest Callbacks and Error Handling JSON What is AJAX ? 2 1 What is AJAX 2 XmlHttpRequest 3 Callbacks and Error Handling 4 JSON What is AJAX XmlHttpRequest Callbacks and Error Handling JSON What is AJAX ? 3 Mechanism for modern web applications to communicate with the server after page load Without refreshing the current page Request can be sent asynchronously without holding up the main JavaScript thread Stands for “Asynchronous JavaScript and XML”, but does not necessarily involve XML Complement of COMET (Server Push) What is AJAX XmlHttpRequest Callbacks and Error Handling JSON A Brief History of AJAX 4 Introduced by Microsoft as part of the Outlook Web Access (OWA) in 1998 Popularized by Google in Gmail, Maps in 2004-05 Term AJAX coined around 2005 in an article Made part of the W3C standard in 2006 Supported by all major browsers today What is AJAX XmlHttpRequest Callbacks and Error Handling JSON Uses of AJAX 5 Interactivity To enable content to be brought in from the server in response to user requests Performance Load the most critical portions of a webpage first, and then load the rest asynchronously Security (this is questionable) Bring in only the code/data that is needed on demand to reduce the attack surface of the
  • Yet Another Web Server

    Yet Another Web Server

    Yaws - Yet Another Web Server Claes Wikstrom [email protected] September 9, 2018 Contents 1 Introduction 4 1.1 Prerequisites . 5 1.2 A tiny example . 5 2 Compile, Install, Config and Run 7 2.0.1 Compile and Install . 7 2.0.2 Configure . 8 3 Static content 11 4 Dynamic content 12 4.1 Introduction . 12 4.2 EHTML . 12 4.3 POSTs . 17 4.3.1 Queries . 17 4.3.2 Forms . 17 4.4 POSTing files . 18 5 Mode of operation 22 5.1 On-the-fly compilation . 22 5.2 Evaluating the Yaws Code . 23 6 SSL 24 6.1 Server Name Indication . 25 7 Applications 26 7.1 Login scenarios . 26 7.1.1 The session server . 26 1 CONTENTS 2 7.1.2 Arg rewrite . 28 7.1.3 Authenticating . 29 7.1.4 Database driven applications . 31 7.2 Appmods . 31 7.3 The opaque data . 32 7.4 Customizations . 32 7.4.1 404 File not found . 33 7.4.2 Crash messages . 33 7.5 Stream content . 34 7.6 All out/1 Return Values . 35 8 Debugging and Development 39 8.1 Logs . 39 9 External scripts via CGI 40 10 FastCGI 41 10.1 The FastCGI Responder Role . 41 10.2 The FastCGI Authorizer Role . 42 10.3 The FastCGI Filter Role . 42 10.4 FastCGI Configuration . 42 11 Security 43 11.1 WWW-Authenticate . 43 12 Embedded mode 45 12.1 Creating Global and Server Configurations . 45 12.2 Starting Yaws in Embedded Mode . 46 13 The config file - yaws.conf 47 13.1 Global Part .
  • Differential Fuzzing the Webassembly

    Differential Fuzzing the Webassembly

    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
  • SDK De AWS Para Ruby Developer Guide

    SDK De AWS Para Ruby Developer Guide

    SDK de AWS para Ruby Developer Guide SDK de AWS para Ruby: Developer Guide Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. SDK de AWS para Ruby Developer Guide Las marcas comerciales y la imagen comercial de Amazon no se pueden utilizar en relación con ningún producto o servicio que no sea de Amazon de ninguna manera que pueda causar confusión entre los clientes y que menosprecie o desacredite a Amazon. Todas las demás marcas comerciales que no son propiedad de Amazon son propiedad de sus respectivos propietarios, que pueden o no estar afiliados, conectados o patrocinados por Amazon. SDK de AWS para Ruby Developer Guide Table of Contents AWSGuía para desarrolladores de SDK for Ruby ................................................................................... 1 Mediante laAWSSDK for Ruby conAWS Cloud9 .............................................................................. 1 Acerca de esta guía ................................................................................................................... 1 Documentación y recursos adicionales .......................................................................................... 2 Implementación enAWSCloud ............................................................................................... 2 Mantenimiento y soporte para las versiones principales del SDK ........................................................ 2 Introducción ......................................................................................................................................
  • Table of Contents

    Table of Contents

    TABLE OF CONTENTS I. EXECUTIVE SUMMARY ...............................................................................................3 A. Recommendations ..............................................................................................................................................3 1. Future Governance board ................................................................................................................................3 2. Integration Models ..........................................................................................................................................3 3. CCIS and JIS Review by Infinity Software Development Inc. .......................................................................4 4. Catalog of Common Data Elements................................................................................................................4 5. Data Exchange Standards and Protocol...........................................................................................................4 6. Infrastructure and Network Standards and Protocol........................................................................................4 7. Security and Access Standards and Protocol...................................................................................................5 8. Unified Statute Table ......................................................................................................................................6 9. Minimum Data Elements for Policy Oversight ...............................................................................................6
  • Resin 3.2 Reference

    Resin 3.2 Reference

    Contents 1 Overview 3 1.1 Features - Resin and Resin Professional . .3 2 Installation 11 2.1 Resin Installation Quick Start . 11 2.2 Resin Installation . 16 2.3 Resin Web Server . 16 2.4 Resin with Apache . 22 2.5 Resin with IIS . 34 2.6 How the Plugins Dispatch to Resin . 44 3 Command-Line 47 3.1 Command-Line Configuration . 47 4 Admin Guide 51 4.1 User Guide: Administration . 51 5 Watchdog 63 5.1 Resin Watchdog . 63 6 Virtual Hosts 73 6.1 Virtual Hosting . 73 7 Clustering 89 7.1 Resin Clustering . 89 8 Web Applications 109 8.1 An Overview of Web Applications . 109 9 Logging 137 9.1 Log . 137 10 Administration 163 10.1 Resin Administration . 163 1 CONTENTS 11 Deployment 177 11.1 Packaging/Deployment . 177 12 Proxy Caching 181 12.1 Server Caching . 181 13 Quercus 193 13.1 Quercus: PHP in Java . 193 14 Security 217 14.1 Resin Security . 217 15 Inversion of Control 271 15.1 Resin IoC . 271 15.2 Scheduled Task . 308 16 Amber 327 16.1 Amber . 327 17 Embedding Resin 355 17.1 Embedding Resin . 355 18 Filters 367 18.1 Filters . 367 19 BAM 379 19.1 BAM . 379 20 Comet 405 20.1 Comet/Server-Push Servlet . 405 21 Remoting 411 21.1 Resin Remoting . 411 21.2 Hessian . 417 22 Messaging 423 22.1 Resin Messaging . 423 23 JSF - Java Server Faces 435 23.1 JSF - Java Server Faces . 435 24 Configuration Tags 445 24.1 cluster: Cluster tag configuration .
  • Dynamic Web Pages with the Embedded Web Server

    Dynamic Web Pages with the Embedded Web Server

    Dynamic Web Pages With The Embedded Web Server The Digi-Geek’s AJAX Workbook (NET+OS, XML, & JavaScript) Version 1.0 5/4/2011 Page 1 Copyright Digi International, 2011 Table of Contents Chapter 1 - How to Use this Guide ............................................................................................................... 5 Prerequisites – If You Can Ping, You Can Use This Thing! ..................................................................... 5 Getting Help with TCP/IP and Wi-Fi Setup ............................................................................................ 5 The Study Guide or the Short Cut? ....................................................................................................... 5 C Code ................................................................................................................................................... 6 HTML Code ............................................................................................................................................ 6 XML File ................................................................................................................................................. 6 Provide us with Your Feedback ............................................................................................................. 6 Chapter 2 - The Server-Client Relationship ................................................................................................... 7 Example – An Analogy for a Normal HTML page .................................................................................
  • Applying World Wide Web Standards to Embedded Systems

    Applying World Wide Web Standards to Embedded Systems

    NASA / TMm2002-211199 AIAA-2001-5107 Embedded Web Technology: Applying World Wide Web Standards to Embedded Systems Joseph G. Ponyik and David W. York Glenn Research Center, Cleveland, Ohio March 2002 The NASA STI Program Office... in Profile Since its founding, NASA has been dedicated to CONFERENCE PUBLICATION. Collected the advancement of aeronautics and space papers from scientific and technical science. The NASA Scientific and Technical conferences, symposia, seminars, or other Information (STI) Program Office plays a key part meetings sponsored or cosponsored by in helping NASA maintain this important role. NASA. The NASA STI Program Office is operated by SPECIAL PUBLICATION. Scientific, Langley Research Center, the Lead Center for technical, or historical information from NASA's scientific and technical information. The NASA programs, projects, and missions, NASA STI Program Office provides access to the often concerned with subjects having NASA STI Database, the largest collection of substantial public interest. aeronautical and space science STI in the world. The Program Office is also NASA's institutional TECHNICAL TRANSLATION. English- mechanism for disseminating the results of its language translations of foreign scientific research and development activities. These results and technical material pertinent to NASA's are published by NASA in the NASA STI Report mission. Series, which includes the following report types: Specialized services that complement the STI TECHNICAL PUBLICATION. Reports of Program Office's diverse offerings include completed research or a major significant creating custom thesauri, building customized phase of research that present the results of data bases, organizing and publishing research NASA programs and include extensive data results.., even providing videos.
  • Lightweight Django USING REST, WEBSOCKETS & BACKBONE

    Lightweight Django USING REST, WEBSOCKETS & BACKBONE

    Lightweight Django USING REST, WEBSOCKETS & BACKBONE Julia Elman & Mark Lavin Lightweight Django LightweightDjango How can you take advantage of the Django framework to integrate complex “A great resource for client-side interactions and real-time features into your web applications? going beyond traditional Through a series of rapid application development projects, this hands-on book shows experienced Django developers how to include REST APIs, apps and learning how WebSockets, and client-side MVC frameworks such as Backbone.js into Django can power the new or existing projects. backend of single-page Learn how to make the most of Django’s decoupled design by choosing web applications.” the components you need to build the lightweight applications you want. —Aymeric Augustin Once you finish this book, you’ll know how to build single-page applications Django core developer, CTO, oscaro.com that respond to interactions in real time. If you’re familiar with Python and JavaScript, you’re good to go. “Such a good idea—I think this will lower the barrier ■ Learn a lightweight approach for starting a new Django project of entry for developers ■ Break reusable applications into smaller services that even more… the more communicate with one another I read, the more excited ■ Create a static, rapid prototyping site as a scaffold for websites and applications I am!” —Barbara Shaurette ■ Build a REST API with django-rest-framework Python Developer, Cox Media Group ■ Learn how to use Django with the Backbone.js MVC framework ■ Create a single-page web application on top of your REST API Lightweight ■ Integrate real-time features with WebSockets and the Tornado networking library ■ Use the book’s code-driven examples in your own projects Julia Elman, a frontend developer and tech education advocate, started learning Django in 2008 while working at World Online.
  • HTML5 and the Open Web Platform

    HTML5 and the Open Web Platform

    HTML5 and the Open Web Platform Stuttgart 28 May 2013 Dave Raggett <[email protected]> The Open Web Platform What is the W3C? ● International community where Members, a full-time staff and the public collaborate to develop Web standards ● Led by Web inventor Tim Berners-Lee and CEO Jeff Jaffe ● Hosted by MIT, ERCIM, Keio and Beihang ● Community Groups open to all at no fee ● Business Groups get more staff support ● Technical Working Groups ● Develop specs into W3C Recommendations ● Participants from W3C Members and invited experts ● W3C Patent process for royalty free specifications 3 Who's involved ● W3C has 377 Members as of 11 May 2013 ● To name just a few ● ACCESS, Adobe, Akamai, Apple, Baidu, BBC, Blackberry (RIM), BT, Canon, Deutsche Telekom, eBay, Facebook, France Telecom, Fujitsu, Google, Hitachi, HP, Huawei, IBM, Intel, LG, Microsoft, Mozilla, NASA, NEC, NTT DoCoMo, Nuance, Opera Software, Oracle, Panasonic, Samsung, Siemens, Sony, Telefonica, Tencent, Vodafone, Yandex, … ● Full list at ● http://www.w3.org/Consortium/Member/List 4 The Open Web Platform 5 Open Web Platform ● Communicate with HTTP, Web Sockets, XML and JSON ● Markup with HTML5 ● Style sheets with CSS ● Rich graphics ● JPEG, PNG, GIF ● Canvas and SVG ● Audio and Video ● Scripting with JavaScript ● Expanding range of APIs ● Designed for the World's languages ● Accessibility with support for assistive technology 6 Hosted and Packaged Apps ● Hosted Web apps can be directly loaded from a website ● Packaged Web apps can be locally installed on a device and run without the need for access to a web server ● Zipped file containing all the necessary resources ● Manifest file with app meta-data – Old work on XML based manifests (Web Widgets) – New work on JSON based manifests ● http://w3c.github.io/manifest/ ● Pointer to app's cache manifest ● List of required features and permissions needed to run correctly ● Runtime and security model for web apps ● Privileged apps must be signed by installation origin's private key 7 HTML5 Markup ● Extensive range of features ● Structural, e.g.
  • M3AAWG Best Common Practices for Mitigating Abuse of Web Messaging Systems, Version 1.1 Updated March 2019 (2010)

    M3AAWG Best Common Practices for Mitigating Abuse of Web Messaging Systems, Version 1.1 Updated March 2019 (2010)

    Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) M3AAWG Best Common Practices for Mitigating Abuse of Web Messaging Systems, Version 1.1 Updated March 2019 (2010) The reference URL for this document is www.m3aawg.org/WebMessagingAbuse Table of Contents Updated in this Version ......................................................................................................................................................... 1 Introduction ........................................................................................................................................................................... 1 Typical Attacks ...................................................................................................................................................................... 2 Monitoring and Alerting ....................................................................................................................................................... 2 Proactive Defense .................................................................................................................................................................. 3 UI Access ........................................................................................................................................................................................................... 3 Web Application Security ..............................................................................................................................................................................
  • Cross-Domain Communications

    Cross-Domain Communications

    CSE 361: Web Security Cross-domain Communication Nick Nikiforakis 2 A World Without Separation between Sites http://kittenpics.org https://gmail.com 3 The Same-Origin Policy for JavaScript • Most basic access control policy • controls how active content can access resources • Same-Origin Policy for JavaScript for three actions • Script access to other document in same browser • frames/iframes • (popup) windows • Script access to application-specific local state • cookies, Web Storage, or IndexedDB • Explicit HTTP requests to other hosts • XMLHttpRequest 4 The Same-Origin Policy for JavaScript • Only allows access if origins match Protocol Hostname Port • Origin defined by protocol, hostname, and port http://example.org:80/path/ Originating document Accessed document Non-IE Browser Internet Explorer http://example.org/a http://example.org/b http://example.org http://www.example.org http://example.org https://example.org http://example.org http://example.org:81 5 Domain Relaxation • Two sub-domains of a common parent domain want to communicate • Notably: can overwrite different port! • Browsers allow setting document.domain property • Can only be set to valid suffix including parent domain • test.example.org -> example.org ok • example.org -> org forbidden • When first introduced, relaxation of single sub-domain was sufficient • Nowadays: both (sub-)domains must explicitly set document.domain 6 Domain Relaxation http://sub.kittenpics.org http://kittenpics.org document.domain = "kittenpics.org" document.domain = "kittenpics.org" 7 Domain Relaxation http://sub.kittenpics.org http://kittenpics.org document.domain = "kittenpics.org" Cross-Origin Communication 9 Cross-origin communication • Subdomains of the same domain can use domain relaxation when they want to talk to one another.