I know tools like Firebug trace into external source but it's installed on the platform and likely has special ability outside the context of the browser sandbox.
preguntado el 08 de enero de 11 a las 23:01
<script> tags. This is actually not an oversight, but rather a security feature: suppose I request the
.json file that Gmail requests via AJAX to load your inbox by putting it in an external
So, making up a few things about how Gmail works, here's how the attack would look:
If a script tag had the value
externalScriptContent, I could just put whatever URL in for the
src that I wanted, and then summon up the remote file's contents, effectively circumventing AJAX cross-origin restrictions. That'd be bad. We allow cross-origin requests for remote scripts because they are run and run only. They cannot be read.
Firebug has these permissions because Firefox extensions have the ability to inspect anything that the browser requests; normal pages, thankfully, do not.
¡Sin embargo! Bear in mind that, if the script is on your domain, instead of writing it in
<script src="…"></script> form, you can pull it up with an AJAX request then
eval it to have access to the contents and still only request it once :)
Puede analizar el
<script> tag and re-request the js file by
XMLHttpRequest, it will likely be readily served from cache and with credentials of the current page. But unless both your requesting script and the script in the tag originate from the same domain, the browser will disallow this.