Circumventing Browser same-origin policy / XSS methods

Alex Egg,

If I try to do an ajax request to an arbitrary URL I will get this error:

xhr=new XMLHttpRequest();
xhr.open("GET", "http://google.com", true);
xhr.send(null);

Run Script</p>

  1. Dynamtic Script tag w/ JSON callbacks</p>

This is the same-origin policy error. However you may wonder how various JS APIS work like google maps or facebook JS API - they are clearly pulling data from their servers from your page…. There are various ways around the same-origin policy of which I wish to enumerate here.

Dynamic Script Tag / JSON callback

I want to call API on remotesite.com so I would add a script tag to the DOM w/ the api endpoint. For example http://remotesite.com/api?query=get.users&token=asfxjee993

This would then return javascript like this:

arbitraryCallbackFunction({_artibrary JSON});

Then the arbitraryCallbackFunction on my page would be called and passed the JSON body – effectivly doing an AJAX request to a remote server and circumventing the orgin policy.

Iframes

Permalink: circumvent-same-origin-policy

Tags:

Last edited by Alex Egg, 2016-10-05 19:15:48
View Revision History