Circumventing Browser same-origin policy / XSS methods
If I try to do an ajax request to an arbitrary URL I will get this error:
xhr=new XMLHttpRequest();
xhr.open("GET", "http://google.com", true);
xhr.send(null);
Run Script</p>
- Dynamtic Script tag w/ JSON callbacks</p>
This is the same-origin policy error. However you may wonder how various JS APIS work like google maps or facebook JS API - they are clearly pulling data from their servers from your page…. There are various ways around the same-origin policy of which I wish to enumerate here.
Dynamic Script Tag / JSON callback
I want to call API on remotesite.com so I would add a script tag to the DOM w/ the api endpoint. For example http://remotesite.com/api?query=get.users&token=asfxjee993
This would then return javascript like this:
arbitraryCallbackFunction({_artibrary JSON});
Then the arbitraryCallbackFunction on my page would be called and passed the JSON body – effectivly doing an AJAX request to a remote server and circumventing the orgin policy.
Iframes
Permalink: circumvent-same-origin-policy
Tags: