Ajax.Request 到外部站点:是否 XSS?
我认为下面的内容不起作用,因为我正在尝试 XSS,但我尝试执行本地端口重定向来确认,但它仍然不起作用。有人可以告诉我这是否是 XSS,如果不是,为什么它不起作用?
<html>
<div id="output"></div>
<script src="prototype.js" type="text/javascript"></script>
<script type="text/javascript">
function test()
{
this.url = "http://www.google.com"
}
test.prototype.run = function()
{
var request = new Ajax.Request(this.url,
{
method: "get",
onSuccess: this.success.bind(this),
onFailure: function(response) { alert("failure"); }
});
};
test.prototype.success = function(response)
{
var debug = "this.url = " + this.url + ",<br>"
+ " response.status = " + response.status + ",<br>"
+ " response.statusText = " + response.statusText + ",<br>"
+ " response.readyState = " + response.readyState + ",<br>"
+ " response.responseText = " + response.responseText + ",<br>"
+ " response.responseXML = " + response.responseXML + ",<br>"
+ " response.responseJSON = " + response.responseJSON + ",<br>"
+ " response.headerJSON = " + response.headerJSON + ",<br>"
+ " response.request = " + response.request + ",<br>"
+ " response.transport = " + response.transport + ",<br>"
+ " response.transport.readyState = " + response.transport.readyState + ",<br>"
+ " response.transport.responseText = " + response.transport.responseText + ",<br>";
document.getElementById("output").update(debug);
};
new test().run();
</script>
</html>
I thought the below was not working because I was attempting XSS, but I tried performing a local port redirect to confirm, and it still wouldn't work. Can someone let me know if this is XSS or not, and if not, why it's not working?
<html>
<div id="output"></div>
<script src="prototype.js" type="text/javascript"></script>
<script type="text/javascript">
function test()
{
this.url = "http://www.google.com"
}
test.prototype.run = function()
{
var request = new Ajax.Request(this.url,
{
method: "get",
onSuccess: this.success.bind(this),
onFailure: function(response) { alert("failure"); }
});
};
test.prototype.success = function(response)
{
var debug = "this.url = " + this.url + ",<br>"
+ " response.status = " + response.status + ",<br>"
+ " response.statusText = " + response.statusText + ",<br>"
+ " response.readyState = " + response.readyState + ",<br>"
+ " response.responseText = " + response.responseText + ",<br>"
+ " response.responseXML = " + response.responseXML + ",<br>"
+ " response.responseJSON = " + response.responseJSON + ",<br>"
+ " response.headerJSON = " + response.headerJSON + ",<br>"
+ " response.request = " + response.request + ",<br>"
+ " response.transport = " + response.transport + ",<br>"
+ " response.transport.readyState = " + response.transport.readyState + ",<br>"
+ " response.transport.responseText = " + response.transport.responseText + ",<br>";
document.getElementById("output").update(debug);
};
new test().run();
</script>
</html>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
它不是 XSS(这是一种攻击 Web 应用程序客户端的方法),而只是此处生效的同源策略。您不能简单地使用 Ajax 请求从您自己的域以外的域(您自己的域,即加载 Web 应用程序的域)请求数据。
在此了解更多信息:http://en.wikipedia.org/wiki/Same_origin_policy
it's not XSS (which is a way to attack the client side of web applications), but it is simply the same origin policy being in effect here. You can't simply request data with an Ajax request from a domain other than your own (your own meaning the one your web application was loaded from).
Learn more about it here: http://en.wikipedia.org/wiki/Same_origin_policy