Re: [WEB SECURITY] AJAX load content from different hosts/sites?

[Koen Van Impe <koen.vanimpe@xxxxxxxxx>]

Mattias Ahnberg wrote:
> I know that you can, without bothers, AJAX-load stuff from the
> same website. But how can I do it properly between different
> sites? What methods can we chose from?
> 
> Say I have mysite.com and want to AJAX load some content from
> yoursite.com, is that possible at all? And would it matter if
> I renamed yoursite.com to yourhost.mysite.com and loaded it
> from that instead? Or to avoid XSS, am I limited to only and
> without exceptions load content from mysite.com?
> 

Most server-side languages (like php) allow you to include content from
other sites (for php, fe. there's file_get_contents()), regardless of
the sitename.
Including content from other sites via javascript depends on your
browser. Internet Explorer uses "zones" to determine if you're allowed
or not to include the content. Firefox is more restrictive through the
use of privileges.
Info at
http://www.mozilla.org/projects/security/components/signed-scripts.html
might prove useful.

What exactly do you mean by AJAX-load? Including "news" from other sites
 can be done via RSS and has no need for AJAX.

Hope this helps.

Koen


-- 
Koen Van Impe
koen.vanimpe@xxxxxxxxx


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]