tags:

views:

107

answers:

2
+1  Q: 

What are the best options for non-malicious cross site scripting?

I want to write a browser based app that retrieves data from multiple websites and posts it to my server app. What are the best options to do this?

The most straightforward approach would certainly be to have the server app retrieve the data, but that's not possible for copyright reasons. In my case individual users do have the right to access the data but my server app doesn't. So the request has to originate from the user's machine.

This is not a scheme to circumvent copyright law as the data is never published. It's made available to authorized users only. The problem is simply how to use a web app as an extension of the users's desktop.

It would be a trivial and legal thing to do with a desktop app, but I don't want to force users to download and install software. So my question is if anyone knows how this can be achieved with browser extensions, silverlight, flash, etc and what the limitations of each approach would be.

Thanks in advance for your help

+1  A: 

Nope. You may say it's non-malicious, but the target site has no way to know that; if you could do it, any hacker could.

Unless you can persuade your target sites to let you in by having their own script set 'window.domain', or you can get away with exploiting a security hole they've left in their site, cross-site scripting is not possible, for good reason.

bobince  2008-10-19 09:54:16
I don't understand who is supposed to be protected by this limitation. The target site can be accessed via any desktop app, malicious or not, but it cannot be accessed via a web app. That doesn't make sense to me.
fgg  2008-10-19 10:08:38
A desktop app is *much* more privileged than a web site. They can happily nick your account details, log into your bank and steal all your money... not something you would want any random web page you visit to be able to do.
bobince  2008-10-19 22:24:55
Not sure what this has to do with the issue at hand. It's not the user who gets to decide whether web app A can access web app B. The decision is left to web app B and that's not quite logical. It appears to be some kind of crude anti DOS attack provision.
fgg  2008-10-25 14:13:09
+1  A: 

You can write a web scraper that do a user authentication and scrap the specific pages and post in others servers without problem. You can distribute this software to run in different desktops with different users as well.

VP  2008-10-19 11:17:45
Sure, but that wouldn't be a browser based app. I want it to be legal and convenient for users.
fgg  2008-10-19 12:25:49

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?