Donnerstag, 16. Februar 2006
Maddin, 16. Februar 2006 um 13:44:32 MEZ Cross Domain XMLHttpRequests are really not a good idea There was more than one moment in the last month, in which I wondered about the reasons behind the same-origin restriction on the XMLHttpRequest JavaScript object’s destination URL. This restriction effectively prevents JavaScript initiated cross domain http requests. None of the other network aware elements of HTML/JavaScript are subject to such a policy (e.g. images, iframes or scripts). Finally somebody convinced me: Lucas Carlson describes in a recent Blog entry how cross domain XMLHttpRequests could be employed to subvert firewall protection. A malicious JavaScript executed by a web browser behind a firewall would be able to communicate the content of any http intranet server, which would otherwise be protected by the firewall, to any host on the internet. Such a script is furthermore able to do a complete port scan on the intranet, thus discovering services and further attack targets. What a pity, cross domain Ajax would be so much fun otherwise. ... Link |
online for 8426 Days
last updated: 09.04.14, 16:14 Youre not logged in ... Login
click:
Martin Welt martinjohns.com Tumbling Nerd Alert Blogroll doomicile foobla simonox Podroll IT Conversations The Podcast about nothing |