开发者

Ajax.Request to external site: XSS or not?

I thought the below was not working because I was attempting XSS, but I tried performing a local port redirect to confirm, and it still wouldn't work. Can someone let me know if this is XSS or not, and if not, why it's not working?

<html>
   <div id="output"></div>
   <script src="prototype.js" type="text/javascript"></script>
   <script type="text/javascript">
      function test()
      {
         this.url = "http://www.google.com"
      }

      test.prototype.run = function() 
      {
         var request = new Ajax.Request(this.url, 
            {
               method: "get",
               onSuccess: this.success.bind(this),
               onFailure: function(response) { alert("failure"); }
            });
      };

      test.prototype.success = function(response)
      {
         var debug = "this.url = " + this.url + ",<br>"
            + " response.status = " + response.status + ",<br>"
            + " response.statusText = " + response.statusText + ",<br>"
            + " response.readyState = " + response.readyState + ",<br>"
            + " response.responseText = " + response.responseText + ",<br>"
            + " response.responseXML = " + response.responseXML + ",<br>"
            + " response.responseJSON = " + response.responseJSON + ",<br>"
            + " response.headerJSON = " + response.headerJSON + ",<br>"
            + " response.request = " + response.request + ",<br>"
            + " response.transport = " + response.transport + ",<br>"
            + " response.transport.readyState = " + response.transport.readyState + ",<br>"
            + " response.transport.responseText = " + response.transport.responseText + ",<br>";
         document.getElementById("output").update(debug);
      };

      new 开发者_JAVA百科test().run();
   </script>
</html>


it's not XSS (which is a way to attack the client side of web applications), but it is simply the same origin policy being in effect here. You can't simply request data with an Ajax request from a domain other than your own (your own meaning the one your web application was loaded from).

Learn more about it here: http://en.wikipedia.org/wiki/Same_origin_policy

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜