[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] CSSHttpRequest

From: Sam Quigley <quigley@xxxxxxxxxxx>
Subject: [WEB SECURITY] CSSHttpRequest
Date: Mon, 20 Oct 2008 17:25:55 -0700

I came across this today, and thought folks here might be interested: http://nb.io/hacks/csshttprequest/

It's basically a clever hack using CSS @import rules to perform cross- domain AJAX calls -- the idea is to allow javascript to request information from a remote domain without allowing that remote domain to execute Javascript on the page... My question is, can anyone abuse it to execute arbitrary JS anyway? (I only poked at it for a few minutes, but didn't succeed...)

-sq
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: Re: [WEB SECURITY] top security magazines?
Next by Date: Re: [WEB SECURITY] top security magazines?
Previous by thread: [WEB SECURITY] top security magazines?
Next by thread: [WEB SECURITY] New MultiInjector tool
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site