OK, I've got the script tunnel pretty well in hand, passing all the arguments to WSRequest.open and WSRequest.send to a .jsp on the mashup server. Now, I just need to invoke the Web Service. Do we have a WSRequest object that is accessible from within a jsp? Or do I have to clone the Axis code in the WSRequest Host Object?
Jonathan Marsh - http://www.wso2.com - http://auburnmarshes.spaces.live.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Keith Chapman > Sent: Monday, June 16, 2008 6:48 PM > To: [email protected] > Subject: Re: [mashup-dev] XSS solution? > > +1 > > Thanks, > Keith. > > Jonathan Marsh wrote: > > We're getting an increasing number of questions about XSS, preventing > people > > from using the mashup within a web page served from a different > domain. > > > > > > > > I'm quite tempted to complete my script-injection workaround, and > make it > > available (at least as an alternate version). I hope people don't go > into > > production with a solution that might be used to simplify XSS > attacks, but > > XSS is really quite a pain during the development and testing phase. > In > > addition to using the alternative WSRequest.js version, I'll require > a > > script wrapper proxy (.jsp?) installed on the mashup server. > > > > > > > > The alternative of writing proxies for the primary domain is safer > but isn't > > as appealing since we'd need to write one for Apache, for IIS, and > who knows > > what else. > > > > > > > > What do you think? Will we be perceived as evil? > > > > > > > > P.S. if I do succeed in this, it shows what a joke XSS is. > > > > P.P.S. still a chance I can fail, in which case the joke will be on > me ;-). > > > > > > > > Jonathan Marsh - <http://www.wso2.com> http://www.wso2.com - > > <http://auburnmarshes.spaces.live.com> > http://auburnmarshes.spaces.live.com > > > > > > > > > > > > > > --------------------------------------------------------------------- > --- > > > > _______________________________________________ > > Mashup-dev mailing list > > [email protected] > > http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev > > > _______________________________________________ > Mashup-dev mailing list > [email protected] > http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev _______________________________________________ Mashup-dev mailing list [email protected] http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
