Quoting "Wall, Kevin" <[EMAIL PROTECTED]>: (clip) > At another point, while Atlas JavaScript gadgets was being demoed, > someone asked if one could use XMLHttpRequest (XHR) to invoke > _any_ URL. The speaker correctly answered "no; only back to the > originating host:port from where the JavaScript was downloaded > from". The questioner then remarked something like "oh, that's too > bad". But instead of explaining why allowing cross-domain requests > is inherently a BAD Thing, the speaker replied "oh, don't worry; > we also provide you with some software [apparently a proxy of > sorts -kww] that Microsoft wrote that you can put on your web > server so your users can call out to any URL that they wish, > so it's not limited to calling just pages on your own site." > "Great, I thought. Why don't you also provide some mechanisms to > automatically insert random XSS and SQL injection vulnerabilities > into your code too." Sigh. > <snip>
Kevin, Thanks, I almost fell out of my chair laughing. It reminds me of their "SOAP" idea to bypass those pesky firewalls. Apple also finds that security measure "unfortunate" without an explanation of the underlying security reasons: "Second, the domain of the URL request destination must be the same as the one that serves up the page containing the script. This means, unfortunately, that client-side scripts cannot fetch web service data from other sources..." (http://developer.apple.com/internet/webcontent/xmlhttpreq.html) But neverfear, tell your users who use Firefox to install the Greasemonkey extension, and hop, you can bypass this security nuisance (http://blog.monstuff.com/archives/000262.html -- though this entry points out it should be used only for development purposes and otherwise a bad idea). IE users just have to click OK in the "confirmation" dialog box that pops up. I hate JavaScript because it makes me feel so much at the mercy of web developers, who sometimes require it just to emulate an <A> link or a submit button... Pascal _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
