Enabling XSS from files hosted on local filesystem
I have HTML and JavaScript files on my filesystem for a mobile application that is in development. When the application is deployed to a mobile device, these files will be hosted on the local filesystem there, where XSS from file:// is not an issue. An important part of this application is sending XHR POST requests to a RESTful API.
It seems like XSS should not be a security issu开发者_高级运维e for browsers if the files making the request are hosted on a local filesystem instead of deployed to a web server.
Does anyone know of a browser extension or configuration change that will enable XSS from files hosted on a local file system?
Well, although you will have to change the server and client code a little bit, it isn't very clean and you will have to trust the server, you can load the data as a javascript which contains a call to a function in your page and a big string or so as the parameter. This seems to be a good example.
Alternatively, you could serve the files from a local webserver and fiddle around with the hostsfile and document.domain.
I've found a useful link that's helped me execute POST requests from localhost to another domain. It is a Firefox hack that allows XSS from files hosted at localhost. It's not perfect, but it helps me get this thing developed.
精彩评论