Practical XSS
Posted on Thursday, August 16th, 2007 at 12:09 am
I was playing around with my API for FAP and made a very simple, 7kb, browser-based mass upload tool. Permissions and authentication are verified with JSON on the client side and files are uploaded using a plain POST request. Easy enough.
The problem came when I was trying to get my script to POST to the API. Asynchronous cross domain requests aren't permitted in most browsers. It's a serious security risk.
My solution: the iframe.
By targeting all POST requests to an invisible iframe the cross domain issue is no longer a problem.
You can even check progress with the
The problem came when I was trying to get my script to POST to the API. Asynchronous cross domain requests aren't permitted in most browsers. It's a serious security risk.
My solution: the iframe.
By targeting all POST requests to an invisible iframe the cross domain issue is no longer a problem.
You can even check progress with the
onload() event.Search
Tag Cloud
ajax as3 businesscard captcha chumby css design fap fapi flash hack hotlinking interface javascript jquery json lightbox myspace pipes site translation typography usability webservice wigits xss yahoo