cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

How to bypass same origin directive

tcoufal
Amethyst

How to bypass same origin directive

Hi Guys,

I have a following question.

I am well aware of security risks, but I am doing some tests and hit the wall, so the speak.

I would need to bypass Same origin directive.

I am writing some javascript code (HTML and pure JS + d3 library). It's a network topology view based on JSON data served by ThingWorx Thing service.

So in the JavaScript am referencing ThingWorx machine.

I placed the code directly in Tomcat/Webapps/Thingworx/Common/<folder for external code>/<some external code>, so I would not have to set up a second web server to run it (serve it).

So now I can use webFrame or links from mashups to access to code. It also works when I store complete code (HTML and JS) as HTML property and use that property bound to HtmlTextArea widget set to ReadOnly (How cool is that  ). Anyhow, IP address in that script and IP address which I am using to access that script must be exactly the same otherwise its XSS. I could simply use localhost, but it will be working only on local machine (not really a webapp.. ) .


So I would like to keep IP address in my JS code as it is (as I need to be).


So I would like to somehow bypass the Same origin policy...


Thanks for your ideas...


Tomas


Picure how does it look like of someone's interested.

Tags (1)
7 REPLIES 7

Re: How to bypass same origin directive

I know I don't answer your question, but you had seen this extension: http://marketplace.thingworx.com/Items/d3-network

Re: How to bypass same origin directive

Hi Carles,

I have posted the picture after your replay, so now you can see what I am aiming for

d3 Network widget is no use to me in this case

But I will have to start doing some serious research about Extension development.

Re: How to bypass same origin directive

Did you tried to start you development from D3 Network Widget? I think it's close to what you need, I've already seen what you want done in TW ( don't ask me when/where I don't remember )

Re: How to bypass same origin directive

I did not. I will have to look into it.

First of all I will have to understood how Extensions are communicating with platform data-wise (what i see it uses that big combined.js file as its ref.).

Personal-question. I've seen that you are doing some TTD-like with TW platform. Could you spare some knowledge on this subject?

I will understand if not, I am just being curious.

Re: How to bypass same origin directive

For TDD I've done a module, where you can define Service Calls and It's pre filled parameters, then it tests for the result if it's the expected one. Those TDD tests can be called by Different Users, and applied to System THings anc Customer Things ( we have a Multi Tenancy solution ).

Here you have an Screenshot for TDD Manager:

Captura de pantalla 2016-07-21 13.21.58.png

Re: How to bypass same origin directive

Wow, that's look awesome and also brilliant idea. Wish I would have time to do something like this. I am guessing that you are testing only services which you have wrote right? (no point to check core/system services, or am I mistaken).

One question that TDD manager is standard Mashup? How you have achieved that Menu in top right corner (it must be a static layout or?)

Thanks

Tomas

Re: How to bypass same origin directive

Hi Tomas,

About testing Standard/Core/System services --> Yes you can test it with this tool, and if you have time it may be recomendable to build tests for the platform too, you never know what will fail, and they can fail --> Some times, your services will fail becouse some underlying platform services fail .

TDD it's a Standard Mashup yes, loaded through a Menu which it's included on a Master Mashup which controls all hour Platform.

Announcements

Check out the upcoming Expert Session: Understanding ThingWorx Navigate Licensing in Community "Customer Events" section.