-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +1
They can use iFrames for simple display of content, but might require a workaround if they want their javascript to access the content. A workaround sounds like a necessary evil in that case. Tyrell Jonathan Marsh wrote: | We’re getting an increasing number of questions about XSS, preventing | people from using the mashup within a web page served from a different | domain. | | | | I’m quite tempted to complete my script-injection workaround, and make | it available (at least as an alternate version). I hope people don’t go | into production with a solution that might be used to simplify XSS | attacks, but XSS is really quite a pain during the development and | testing phase. In addition to using the alternative WSRequest.js | version, I’ll require a script wrapper proxy (.jsp?) installed on the | mashup server. | | | | The alternative of writing proxies for the primary domain is safer but | isn’t as appealing since we’d need to write one for Apache, for IIS, and | who knows what else. | | | | What do you think? Will we be perceived as evil? | | | | P.S. if I do succeed in this, it shows what a joke XSS is. | | P.P.S. still a chance I can fail, in which case the joke will be on me ;-). | | | | *Jonathan Marsh* - http://www.wso2.com - | http://auburnmarshes.spaces.live.com | | | | | ------------------------------------------------------------------------ | | _______________________________________________ | Mashup-dev mailing list | [email protected] | http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev - -- Tyrell Perera Senior Software Engineer; WSO2, Inc.; http://www.wso2.com/ cell: +94 77 302 2505 "Oxygenating the Web Service Platform." http://tyrellperera.blogspot.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIVwt8ehFdPcgGx7oRAo1DAKCHBZU0kf1qinzwbq+2EoXuLCoZ0gCgsp+M 0d7xmIVJ+lOFI7PCj/M85JE= =CLDS -----END PGP SIGNATURE----- _______________________________________________ Mashup-dev mailing list [email protected] http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
