Moritz Onken <[EMAIL PROTECTED]> wrote on 09/30/2008 01:08:38 PM: > > Am 30.09.2008 um 19:20 schrieb Ashley: > > > On Sep 30, 2008, at 10:08 AM, Moritz Onken wrote: > >> "attackers can use POST" > >> > >> This is possible due to the fact that flash movies can send any > >> request to a server. > >> You can achieve this even with a XMLHTTPRequest. > > > > If scripting is involved that makes it a XSS attack instead, though. > > No? > > > > -Ashley > > I was wrong about the XMLHttprequest. Posting to another server is not > possible as of the same origin policy. > But flash movies can send post request to a different server without > user interaction.
Actually, no. Flash can do GET to another server (hostname) but as of flash 7 (they are at 9 now), you need a crossdomain.xml file on the receiving end to allow POST and data loads. > > XSS is more like posting a javascript snippet to a facebook wall which > does some javascript actions in the context of the user who opens that > wall. > > cheers, > > moritz > > _______________________________________________ > List: [email protected] > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: http://www.mail-archive.com/[email protected]/ > Dev site: http://dev.catalyst.perl.org/ _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
