HTML/Javascript app that runs on the filesystem, security issue
https://stackoverflow.com/questions/163900
-
03-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm putting together a little tool that some business people can run on their local filesystems, since we don't want to setup a host for it.
Basically, its just HTML + Javascript (using jQuery) to pull some reports using REST from a 3rd party.
The problem is, FF3 and IE don't allow the ajax call, I get:
Access to restricted URI denied" code: "1012
Obviously its an XSS issue...how do I work around it? The data returned is in XML format.
I was trying to do it this way:
$.get(productUrl, function (data){
alert (data);
});
EDIT: To be clear...I'm not setting up an internal host for this(Way to much red tape), and we CANNOT host this externally due to the data being retrieved.
EDIT #2: A little testing shows that I can use an IFRAME to make the request. Does anyone know if there any downsides to using a hidden IFRAME?
Solution
In a similar situation, my solution was to use Mark Of The Web, which is a special HTML comment that IE recognizes. It places the page in a different security zone.
Reference: MSDN
OTHER TIPS
If you have Python installed, a webserver to serve files can be as simple as
python -c “import SimpleHTTPServer;SimpleHTTPServer.test()”
Edit: Original poster can't use this approach, but in general I think this is the way to solve this particular problem for future users with this issue.
Do you control the server providing the data? If so you can setup a callback. The basic idea is you have a function in the script that handles incoming data (in your case an XML string). Then the server responds to the request with a JavaScript snippet of your callback function with the string as the argument. And instead of using AJAX, you add a new script tag to the page. This is the basis for JSONP. It looks something like this.
local page.
<script>
function callback(str) {
alert(str);
}
function makeRequest(param) {
var s = document.createElement('script');
s.src = 'http://serveranywhere/script.bla?' + params;
document.getElementsByTagName[0].appendChild(s);
}
</script>
remote server returns
callback('<xml><that><does><something></something></does></that></xml>');
now when the script is added to the page, the function callback will be executed you the string you provide. And jQuery call do all of this for you using JSONP in the $.ajax call. Hope this helps.
