Comments on: Cross-Site XMLHttpRequest in Firefox 3

By: tlrobinson

tlrobinson — Tue, 22 Apr 2008 22:32:07 +0000

So this is basically like crossdomain.xml in Flash??

By: luca

luca — Thu, 10 Apr 2008 14:55:47 +0000

maybe this will light you up
http://websecurity.ro/blog/2008/04/10/cross-domain-requests-will-be-back/

By: stauren

stauren — Tue, 29 Jan 2008 08:47:39 +0000

I think this could enable some kind of attacks like, using js to steal the password in the page and send back to the attacker’s sever by xmlhttp request.
This is normally not available, but in FF3 this is available if the attacker had configured his own server correctly!

By: pool

pool — Mon, 14 Jan 2008 15:32:11 +0000

Beside if this is a ‘good’ or ‘bad’ thing, I think it would still take half a decade to use this method unobtrusively in web applications. (since this would probably be the time Microsoft needs to adobt this and all it’s users upgraded)

By: alexeiwhite

alexeiwhite — Fri, 11 Jan 2008 19:42:04 +0000

I think there is a huge need for this. Bottlenecks on proxies, easy integration of Ajax components that connect to a central webservice, etc.

By: pwb

pwb — Fri, 11 Jan 2008 06:35:28 +0000

The risks are actually pretty huge. The biggest being infiltration behind firewalls. A malicious server could serve a cross-domain script that essentially robots through an unsuspecting surfer’s intranet.

By: linizou

linizou — Fri, 11 Jan 2008 03:18:35 +0000

cross-site XMLHTTPRequests helpful .

By: ded

ded — Fri, 11 Jan 2008 02:02:43 +0000

wasn’t there plans to implement the cross-site jsonrequest function proposed from crockford almost 2 years ago?

By: Hans Schmucker

Hans Schmucker — Fri, 11 Jan 2008 00:50:15 +0000

Protecting the user is exactly the reason why we need cross-site XMLHTTPRequests… as stated before we could use JSON, but getting data from JSON without using exec (which should never be done with data that you get from a thirdparty server) is a pain. A crosssite XMLHttprequest is much safer… I mean, what harm can it to as long as protected data is not marker allow=â€*â€, which hopefully nobody in their right mind would do…

By: bander

bander — Thu, 10 Jan 2008 18:30:37 +0000

It's protecting the client from having its cookie-authenticated data exposed to malicious sites. And yeah, bnye, unprotected JSON (or Javascript, even more so) is basically allow="*". So if you want to allow other sites to use data associated with your users, totally. If not, protect your JSON.

By: bnye

bnye — Thu, 10 Jan 2008 17:54:08 +0000

Is this a good place to use Json instead?