我的文件系统上有一个正在开发的移动应用程序的 HTML 和 JavaScript 文件。当应用程序部署到移动设备时,这些文件将托管在本地文件系统上,其中来自 file:// 不是问题。该应用程序的一个重要部分是将 XHR POST 请求发送到 RESTful API。
如果发出请求的文件托管在本地文件系统上而不是部署到 Web 服务器上,那么 XSS 似乎不会成为浏览器的安全问题。
有谁知道浏览器扩展或配置更改可以从本地文件系统上托管的文件启用 XSS?
I have HTML and JavaScript files on my filesystem for a mobile application that is in development. When the application is deployed to a mobile device, these files will be hosted on the local filesystem there, where XSS from file:// is not an issue. An important part of this application is sending XHR POST requests to a RESTful API.
It seems like XSS should not be a security issue for browsers if the files making the request are hosted on a local filesystem instead of deployed to a web server.
Does anyone know of a browser extension or configuration change that will enable XSS from files hosted on a local file system?
发布评论
评论(2)
好吧,虽然您必须稍微更改服务器和客户端代码,但它不是很干净,并且您必须信任服务器,您可以将数据作为 JavaScript 加载,其中包含对页面中函数的调用和一个大字符串左右作为参数。 这似乎是很好的例子。
或者,您可以从本地网络服务器提供文件,并使用 hostsfile 和 document.domain。
Well, although you will have to change the server and client code a little bit, it isn't very clean and you will have to trust the server, you can load the data as a javascript which contains a call to a function in your page and a big string or so as the parameter. This seems to be a good example.
Alternatively, you could serve the files from a local webserver and fiddle around with the hostsfile and document.domain.
我发现了一个有用的链接,可以帮助我执行从本地主机到另一个域的 POST 请求。这是一个 Firefox 黑客允许来自本地主机上托管的文件的 XSS。它并不完美,但它帮助我开发了这个东西。
I've found a useful link that's helped me execute POST requests from localhost to another domain. It is a Firefox hack that allows XSS from files hosted at localhost. It's not perfect, but it helps me get this thing developed.