Cross-Domain Scripting

Cross-domain scripting is a security vulnerability of web applications. If you trigger cross-domain scripting, and your browser doesn’t allow it, the web application will not run (in the case of a WCC application, it will state that it is unable to establish a connection to the Action Processor).

Some browsers are more strict about enforcing cross-domain scripting than others; and newer versions of browsers tend to be more strict than older versions. Some browsers also provide methods to allow cross-domain scripting—see your browser’s documentation for more information.

Cross-domain scripting affects accessing WCC applications in the following ways:

  • URL used to launch the application - To prevent cross-domain scripting, it is best practice to ensure that the domain portion of the URL that is entered into the address line of the browser exactly matches the domain portion of the Action Processor URL specified in the application’s config.xml file.

    The domain consists of the "http://Host:Port" part of the URL.

    The domain used to launch the application cannot differ in any way from the Action Processor’s specified domain, otherwise cross-domain scripting may be triggered (depending on your browser). That is, you cannot use "http" in one and "https" in the other; you cannot use a host name in one and an IP address in the other; one host name cannot be unqualified and the other qualified; you cannot use "localhost" in one and "127.0.0.1" in the other.

    To determine if cross-domain scripting is being used, the browser simply compares the URL domains as strings.

    Note that in a production environment, where the WCC application and Action Processor are deployed to the same node and HTTP connector, the normal practice is to specify an empty string for the Action Processor URL in the application’s config.xml file. When this is done, the URL of the Action Processor is inferred from the URL used to launch the application. This avoids the issue of comparing URL strings. For more information, see Action Processor.

  • Running the application from the local file system - Because of the security risk of cross-domain scripting, some browsers will not allow you to run a web application (including a WCC application) from the local file system.

    Note that you would typically only run a WCC application from the file system in a testing and development environment. In a production environment, it is expected that the application will be deployed to a Web server and run from there. For information about deploying, see Deploying an Application After Customizing.