We're getting an increasing number of questions about XSS, preventing people from using the mashup within a web page served from a different domain.
I'm quite tempted to complete my script-injection workaround, and make it available (at least as an alternate version). I hope people don't go into production with a solution that might be used to simplify XSS attacks, but XSS is really quite a pain during the development and testing phase. In addition to using the alternative WSRequest.js version, I'll require a script wrapper proxy (.jsp?) installed on the mashup server. The alternative of writing proxies for the primary domain is safer but isn't as appealing since we'd need to write one for Apache, for IIS, and who knows what else. What do you think? Will we be perceived as evil? P.S. if I do succeed in this, it shows what a joke XSS is. P.P.S. still a chance I can fail, in which case the joke will be on me ;-). Jonathan Marsh - <http://www.wso2.com> http://www.wso2.com - <http://auburnmarshes.spaces.live.com> http://auburnmarshes.spaces.live.com
_______________________________________________ Mashup-dev mailing list [email protected] http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
