patch: stub implementation of XMLHttpRequest
Maciej Stachowiak
mjs at apple.com
Tue Feb 24 23:21:24 CET 2004
On Feb 23, 2004, at 9:01 PM, Dirk Mueller wrote:
> On Tuesday 24 February 2004 05:03, Maciej Stachowiak wrote:
>
>> So since you agree, I'll go with toString.
>
> please post the patch when you finished it, thanks.
Will do.
>>> hosts if the domain of the document is adjusted first. did you test
>>> that?
>> I'm not sure what you mean. How would you adjust the domain of the
>> document?
>
> via Javascript. Assuming that the script is currently loaded from the
> document
> in the domain "www.kde.org", you can do this:
>
> document.domain="bugs.kde.org";
>
> and then it would be interesting if XMLHttpRequest allows access to
> bugs.kde.org
Assigning document.domain will only let you set the domain to a suffix
of the current domain, for instance you could change it from
"www.kde.org" to "kde.org". So perhaps it's not that much of a risk,
but yes, it will affect XMLHttpRequest just like it affects XSS.
I am not sure why you are allowed to set domain at all, even to a
suffix. It seems like a potential security risk.
> Yes, exactly, if there is anything more than restricting the access
> method
> (get, put, head etc) and the url.
Nope, no such thing. You can put anything in the headers or body.
Regards,
Maciej
More information about the Khtml-devel
mailing list