Ajax.请求外部站点:是否XSS

Ajax.Request to external site: XSS or not?

本文关键字:是否 XSS 站点 请求 外部 Ajax      更新时间:2023-09-26

我认为下面不起作用,因为我正在尝试XSS,但我尝试执行本地端口重定向来确认,它仍然不起作用。有人能让我知道如果这是XSS或不是,如果不是,为什么它不工作?

<html>
   <div id="output"></div>
   <script src="prototype.js" type="text/javascript"></script>
   <script type="text/javascript">
      function test()
      {
         this.url = "http://www.google.com"
      }
      test.prototype.run = function() 
      {
         var request = new Ajax.Request(this.url, 
            {
               method: "get",
               onSuccess: this.success.bind(this),
               onFailure: function(response) { alert("failure"); }
            });
      };
      test.prototype.success = function(response)
      {
         var debug = "this.url = " + this.url + ",<br>"
            + " response.status = " + response.status + ",<br>"
            + " response.statusText = " + response.statusText + ",<br>"
            + " response.readyState = " + response.readyState + ",<br>"
            + " response.responseText = " + response.responseText + ",<br>"
            + " response.responseXML = " + response.responseXML + ",<br>"
            + " response.responseJSON = " + response.responseJSON + ",<br>"
            + " response.headerJSON = " + response.headerJSON + ",<br>"
            + " response.request = " + response.request + ",<br>"
            + " response.transport = " + response.transport + ",<br>"
            + " response.transport.readyState = " + response.transport.readyState + ",<br>"
            + " response.transport.responseText = " + response.transport.responseText + ",<br>";
         document.getElementById("output").update(debug);
      };
      new test().run();
   </script>
</html>

这不是XSS(这是一种攻击web应用程序客户端的方式),但它只是同源策略在这里生效。你不能简单地从你自己的域(你自己的意思是你的web应用程序是从哪里加载的)以外的域用Ajax请求请求数据。

在这里了解更多信息:http://en.wikipedia.org/wiki/Same_origin_policy

相关文章: