How to access plain text content retrieved via [removed] in JavaScript?
When using , where the URL refers to a plain text file, is there a way to access the content
-
Note that if this were supported, it would provide a huge security hole and a means of getting around cross-site scripting protections that protect json and other data. Essentially, my nasty web page (nasty.com, say) could access your private data that's protected by cookies by loading it using a script tag. e.g.
Since the cookies for supersecure.com will automatically be sent with the request (as is the case when requesting any resources), the secure site just returns the data (e.g. the list of private docs) since it couldn't easily tell the request apart from one from an ajax request from its legitimate webpage. This hole doesn't exist with ajax, since the browser will simply prevent a page from nasty.com from making an ajax request to supersecure.com, thanks to the same origin policy.
Obviously, there's no security problem with inline data.
加载中...
- 热议问题