tags:

views:

70

answers:

4
Q: 

[jQuery] $.post() as a bookmarklet XSS.

Just curious if anyone can explain to me why I can request a page from a bookmarklet like this one:

javascript:var%20s=document.createElement('script');var data=encodeURI(location.href)+encodeURI('\n\n')+(encodeURI(document.getElementsByTagName('body')[0].innerHTML));s.setAttribute('src','http://example.com/remote.php?id=68&act=new&data='+data);document.getElementsByTagName('body')[0].appendChild(s);void(s);

Which goes out and request a page and can even provides GET-variable input.

However, I can't make a post/get XHR with ajax through something like jQuery due to same origin policy... Why? Is this a browser issue or part of standards?

note: I changed the bookmarklet. Note 2: My question is why isn't this a violation of policy?

+2  A: 

The difference is that you cannot (directly) read the response that becomes the <script> element.

If the URL happens to return Javascript that defines useful functions, you can use it.
If it contains anything else (such as JSON or XML data), you cannot read the response.

Similarly, you can make an <img> element that points to an image in a different domain.

SLaks  2010-09-01 14:40:40
+1  A: 

This bookmarklet isn't violating the same origin policy. Only XHTTP requests are limited by this policy, and this bookmarklet is adding a script element to the page.

DOM Elements (such as images and scripts) are free to fetch resources from anywhere on the internet.

While any script can effectively execute a GET request cross-domain by constructing script or img requests via the DOM, it will be unable to extract any data from that resource unless the returned response is formed appropriately. An appropriately formed response is actually the basis for cross-domain ajax.

altCognito  2010-09-01 14:43:45
A: 

That bookmarklet doesn't xhr-request something from another server, but appends a script from that other server, which is acceptable and doesn't conflict with the same origin policy.

Actually this is the known workaround to do this kind of cross server communication, take a look at jsonp.

aularon  2010-09-01 14:47:48
+1  A: 

Same Origin Policy for javascript doesn't let pages from different domains to communicate, access each other objects, whether to read or to write, it also doesn't allow xmlhttprequests (ajax calls) to request data from other servers.

But, however, it has nothing to do with allowing scripts referenced on another servers. As @SLaks said, you can add a <script> tag from another server, as you can add <img> tag from another server.

aularon  2010-09-01 15:01:14

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests