Circumventing Browser same-origin policy / XSS methods

Alex Egg,

If I try to do an ajax request to an arbitrary URL I will get this error:

xhr=new XMLHttpRequest();"GET", "", true);

Run Script</p>

  1. Dynamtic Script tag w/ JSON callbacks</p>

This is the same-origin policy error. However you may wonder how various JS APIS work like google maps or facebook JS API - they are clearly pulling data from their servers from your page…. There are various ways around the same-origin policy of which I wish to enumerate here.

Dynamic Script Tag / JSON callback

I want to call API on so I would add a script tag to the DOM w/ the api endpoint. For example

This would then return javascript like this:

arbitraryCallbackFunction({_artibrary JSON});

Then the arbitraryCallbackFunction on my page would be called and passed the JSON body – effectivly doing an AJAX request to a remote server and circumventing the orgin policy.


Permalink: circumvent-same-origin-policy


Last edited by Alex Egg, 2016-10-05 19:15:48
View Revision History