Cross Server httpRequest

@jivinivanJan 28.2009

I have a small javascript / php widget that I want other people to be able to put on their website.

I do a httpRequest to get the information from the php script.

My url variable is = to script.php which works. However when I place the script on another site it cannot make the request because the file is not found. Obviously.

So i changes the url variable to ~~[url]~~http://www.myweb.com/script.php[/url], but this returns an error. Error: uncaught exception: [Exception… “Access to restricted URI denied” code: “1012” nsresult: “0x805303f4 (NS_ERROR_DOM_BAD_URI)”

Any ideas? I’m open for other ways to do this I just want other people to able to place my dynamic widget on their site.

to post a comment

JavaScript

13 Comments(s) _↴

@MrNobodyJan 29.2009 — #Just as with cross-domain scripting access, security normally prevents cross-domain AJAX access.

@felgallJan 29.2009 — #The way to do it is with two steps instead of one.

The Ajax needs to call a server side script on the same server the Ajax was loaded from. That script on the server can then access the other server to rectreive the required info and pass it back to the page.

@phingersJan 29.2009 — #How do google analytics and others do it then? They are obviously pulling in or sending data out?

Has to be a way to avoid the cross site scripting. I dont think people normally have access to put scripts on the server like that.

@voidvectorJan 29.2009 — #You can use iframe, if you really need to do cross-domain AJAX in the current environment.

For a more future perspective, you may want to read up on XDomainRequest, which is currently supported by IE8, a similar feature is supported by Firefox (mentioned in the video).

As for Google Analytics, you can get a lot of information about the user without JavaScript. I've never analyzed their code, but being they are Google, they can probably cross-reference site's data with their own user data to add more information.

@JunkMaleJan 29.2009 — #You can easily get around the X-Domain problems of the XMLHttpRequest / AJAX by using a CSS hack.

This hack completely shatters any security that the browser may impose.

Because I consider the "Hack" a security threat, I will not be publishing it here although if you know where to look, you will find it.

@MrNobodyJan 29.2009 — #The only cross-domain CSS "hack" I know about requires the foreign server to send the data in a special, CSS-based format. That is not practical in the case where one has not made prior arrangements with the foreign site. But, perhaps, that is OK. ?

@JunkMaleJan 29.2009 — #The particular hack I am refering to uses a CSS hack to fetch the payload.
... a device that allows you to run cross domain Ajax requests thanks to a CSS hack:

Similar to JavaScript, this works because CSS is not subject to the same-origin policy that affects XMLHttpRequest.[/quote]
I don't get the "Special CSS-Based format" your refering to, the hack is using CSS request for a file, the file is text based and required nothing more than the URL to fetch the payload.

As for your remark on prior arrangements, well if your the hacker then its not an issue as you would own the site or the URL and run the server yourself or pay for or use a cheap host where the payload is fetched from.

@MrNobodyJan 29.2009 — #Well, the same place I saw this:
Like JavaScript includes, this works because CSS is not subject to the same-origin policy that affects XMLHttpRequest ... [but] is limited to making GET requests.[/QUOTE]
...also said this:
[Returned] data is encoded on the server into URI-encoded 2KB chunks and serialized into CSS rules with a modified data: URI scheme. The selector should be in the form #c<N>, where N is an integer index in [0,]. The response is decoded and returned to the callback function as a string...[/QUOTE]

@JunkMaleJan 29.2009 — #Yeah and that is it, IT CAN "GET" the data.

End of story, everyone lives unhappily ever after....

@MrNobodyJan 29.2009 — #I didn't deny it could -- so I don't know what you're pounding on about. I only said:
The only cross-domain CSS "hack" I know about requires the foreign server to send the data in a special, CSS-based format.[/QUOTE]

@rnd_meJan 30.2009 — #The particular hack I am refering to uses a CSS hack to fetch the payload.

I don't get the "Special CSS-Based format" your refering to, the hack is using CSS request for a file, the file is text based and required nothing more than the URL to fetch the payload.

As for your remark on prior arrangements, well if your the hacker then its not an issue as you would own the site or the URL and run the server yourself or pay for or use a cheap host where the payload is fetched from.[/QUOTE]

it can't do anything that jsonp can't do, probably with a lot more encoding.

you can fit a lot of data in a font-family tag with minimal encoding.

a getapplied style later, you have your data.

as far as i know, you never have access to the raw text of the stylesheet, just the resulting rules...

@JunkMaleJan 31.2009 — #I didn't deny it could -- so I don't know what you're pounding on about. I only said:[/QUOTE]

I am not, I stated a fact, people answered and I asserted my inital argument.

This limitation is not a limitation to a hacker who wants to use this method, a CSS sheet is a text file at the end of the day.

So if a hacker managed to inject a server page with a CSS <link> tag, they could inject malicious code, whatever, the possibilities as far as I am aware have not yet been tried or exploited, if they had, it would be in the news about it, while on the subject I just stumbled on a page talking about using RSS feed from a server to take control of the remote machine that requests the RSS feed!

People bang on about how insecure javascript is, actionScript and this CSS hack poses more of a security risk than javascript ever has and some 15 years on after the event, people still bang on about security issues with javascript. Maybe people have been too focused on the one issue to move their focus to other technologies and start looking at how insecure they are and may be the vendors of browsers will actually do something about it.

IMHO a browser should only be able to fetch something from the domain it was served from, PERIOD. If that was the case, we would see people unable to hot link to content in pages.

@rnd_meJan 31.2009 — #So if a hacker managed to inject a server page with a CSS <link> tag, they could inject malicious code, whatever, the possibilities as far as I am aware have not yet been tried or exploited, if they had, it would be in the news about it, while on the subject I just stumbled on a page talking about using RSS feed from a server to take control of the remote machine that requests the RSS feed![/QUOTE]

are you sure?

i remember a small exploit in early firefox2 that would allow javascript urls to execute in css stylesheets.

one important thing about it to note was that there was no context to the script, so it couldn't do much.

there was no window object, no alert, document, etc.

so, even if code could be injected somehow, it should be harmless in the css sandbox.

Also in #JavaScript _↴

Resizing image help Question about using Javascript to change attribute values . . .highlight text when clicked and unhighlight when another clicked

Success!

Help @jivinivan spread the word by sharing this article on Twitter...

Tweet This

Cross Server httpRequest

13 Comments(s) _↴

Also in #JavaScript _↴

Success!

Social

Version

Cross Server httpRequest

13 Comments(s) ↴

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

13 Comments(s) _↴

Also in #JavaScript _↴