[JavaScript] HTTP Header Spoof
davecline at onebox.com
davecline at onebox.com
Wed Jun 30 11:53:59 CDT 2004
A few comments first.
Mozilla does not allow cross domain scripting. You can allow cross domain scripting by enabling universalbrowser settings. But this only works for signed or quasi signed scripts. A quasi signed script can be considered a script run in a page loaded from the local file system, i.e file:///. You can also virtually sign a script by setting a pref setting in Mozilla - search for UniversalBrowserRead in google groups. Basically you're hosed if you want to do cross domain scripting.
>From a forum I found:
------------------
The basic solution to cross domain (xdomain) HTTP communication in Mozilla is "Don't Do It."
What is cross domain?
Cross domain is any communication made by the browser to a domain which is different than the page or script from which that page or script was originally loaded.
I.e.:
You load your HTML based WebFace app from -
file:///home/myapps/mytestapp/index.html
Then you try to access a web service located at:
http://localhost/myservices/service1.wsdl
The fact that the protocols are different means a different domain.
The list of cross domain boundaries are:
protocol (file:/// vs. http://)
domain (http://www.domainA.com vs. http://www.domainB.com)
sever name (http://wwwA.domain.com vs. http://wwwB.domain.com)
port (http://www.domain.com:80/ vs. http://www.domain.com:81/)
Any of these conditions will cause a cross domain security error. Searches for solutions for this condition include references to
UniversalBrowserRead, UniversalBrowserWrite, UniversalXPConnect which are enablement settings used on SIGNED scripts to allow cross domain security.
Signed scripts are those which are either:
running locally from the file system
or
signed using a very complex signing process
or
have had a preference set which marks all scripts as secure
Such a preference CAN be set but doing this has serious repercussions with regards to security as well as an existing bug with mozilla.
[ http://bugzilla.mozilla.org/show_bug.cgi?id=174001 ]
Solution?
Don't do cross domain.
------------------
Example of a script using universalbrowserread on a "signed" script
function initiateXmlHttpRequest(action, url, xmlDocPayload)
{
var xmlHTTP = new XMLHttpRequest();
xmlHTTP.onload = xmlHttpRequestCallback;
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
xmlHTTP.open(action, url);
xmlHTTP.send(xmlDocPayload);
}
function xmlHttpRequestCallback()
{
//var d = p.responseXML;
alert("xmlHttpRequestCallback() invoked.");
var s = ""+arguments.length+" arg(s):";
for (var i=0; i<arguments.length; i++)
{
s += "\n"+i+": "+arguments[i];
} alert(s);
}
//netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
//netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
--
Dave Cline
davecline at gmail.com
www.bangeye.com/
-----Original Message-----
From: Flavio Gomes <flavio at economisa.com.br>
Sent: Tue, 29 Jun 2004 12:45:12 -0300
To: "[JavaScript List]" <javascript at LaTech.edu>
Subject: Re: [JavaScript] HTTP Header Spoof
I don't want to pay for stream and disk space on phpserver ^^
---
Flavio Gomes
flavio at economisa.com.br
Mike Dougherty wrote:
> Why are you trying to live on two servers?
>
> can you use a hidden iframe to the other server? perhaps using the
> free server in the hidden frame, then using javascript to use xmlhttp
> to set image source in the parent document? (i haven't tested this,
> so no idea if it'd work)
>
>
>
>> In PHP I could do it, but the problem is that using it this way I'd
>> still spent my php server stream to load the images/xmlfeeed,
>
_______________________________________________
Javascript mailing list
Javascript at LaTech.edu
https://lists.LaTech.edu/mailman/listinfo/javascript
More information about the Javascript
mailing list