HTML/Javascript app that runs on the filesystem, security issue

Question

I'm putting together a little tool that some business people can run on their local filesystems, since we don't want to setup a host for it.

Basically, its just HTML + Javascript (using jQuery) to pull some reports using REST from a 3rd party.

The problem is, FF3 and IE don't allow the ajax call, I get:

Access to restricted URI denied" code: "1012

Obviously its an XSS issue...how do I work around it? The data returned is in XML format.

I was trying to do it this way:

$.get(productUrl, function (data)
     {
      alert (data);
     }
    );

EDIT: To be clear...I'm not setting up an internal host for this(Way to much red tape), and we CANNOT host this externally due to the data being retrieved.

EDIT #2: A little testing shows that I can use an IFRAME to make the request. Does anyone know if there any downsides to using a hidden IFRAME?

Answer 1

If you have Python installed, a webserver to serve files can be as simple as

python -c “import SimpleHTTPServer;SimpleHTTPServer.test()”

Edit: Original poster can't use this approach, but in general I think this is the way to solve this particular problem for future users with this issue.

Answer 2

In a similar situation, my solution was to use Mark Of The Web, which is a special HTML comment that IE recognizes. It places the page in a different security zone.

Reference: MSDN

Answer 3

Do you control the server providing the data? If so you can setup a callback. The basic idea is you have a function in the script that handles incoming data (in your case an XML string). Then the server responds to the request with a Javascript snippet of your callback funtion with the string as the argument. And instead of using AJAX, you add a new script tag to the page. This is the basis for JSONP. It looks something like this.

local page.

<script>
 function callback(str)
 {
  alert(str);
 }
 function makeRequest(param)
 {
  var s = document.createElement('script');
  s.src = 'http://serveranywhere/script.bla?' + params;
  document.getElementsByTagName[0].appendChild(s);
 }
</script>

remote server returns

callback('<xml><that><does><something></something></does></that></xml>');

now when the script is added to the page, the function callback will be executed you the string you provide. And jQuery call do all of this for you using JSONP in the $.ajax call. Hope this helps.