+1
Answered

Cross script scripting block disabling sitepal

Doug Bain 8 years ago updated by Gil 8 years ago 3
We have noticed that our avatar is blocked by some corporate networks that don't permit cross site scripting... it sees scripts coming from sitepal instead of scripts from the requested domain. Is there a workaround to this? or can these large corporates not use our Sitepal implementation?
Doug -
This is a bit unusual. We have never received any report of SitePal being blocked due to XSS concerns.

I think it is more likely that a specific corporate network has restrictions in place to block traffic from any domain that has not been specifically whitelisted with the corporate authorities. Some companies go overboard in trying to prevent their employees to interact with anything but work. Such restrictions would affect not only SitePal bu many other services as well.

In general, this does not seem to be a significant concern - but we would look into it further if you could provide more info (i.e. a Fiddler printout etc.)
Regards
Gil
The problem manifested itself at 2 pharmaceutical company offices. On both occasions our page containing the avatar refused to load with a javascript error pointing towards oddcast - this was on the clients presentation computer. It is difficult for us to re-create the error as we were in a demo situation. Switching outside the corporate network resolved the issue. It could be a whitelisting issue, but I suspect it is more the fact that our site jumped domains to pull JSS. We had a similar issue with Google Maps. We managed to work around the google maps issue with a change to a server side call.
Doug -

Which browser was used? Was the demo done on your computer (i.e. laptop you brought with you) or on the host company computer?
I'm thinking possibly restrictive browser settings.

Also - was the page loaded in http or https?
LMK
Gil