On Fri, Oct 3, 2014 at 12:01 PM, Matti Karnaattu <[email protected]> wrote:
> No, you choosed that web page to visit. http://www.w3schools.com/xml/xml_http.asp If the javascript contains an XMLHTTPRequest object, it can call out to a different server (than the one you are visiting) without your explicit knowledge, download content, and do basically whatever the user the browser is running as can do, barring browser sandboxing, etc...and that's not the only way javascript can be used maliciously, as has been pointed out by others. There is good reason not to explicitly trust javascript or any other browser plugin that allow the remote site to execute code on your machine. Granted, it doesn't necessarily take javascript: http://blog.fox-it.com/2014/01/03/malicious-advertisements-served-via-yahoo/
