[talk] Cross Site Scripting in Browsers

Sujit K M kmsujit at gmail.com
Fri Dec 8 09:56:58 EST 2017


On Thu, Dec 7, 2017 at 10:58 PM, Pete Wright <pete at nomadlogic.org> wrote:
>
>
> On 12/07/2017 08:48, Sujit K M wrote:
>>
>> Hi All,
>>
>> I had a simple question, How is something like Cross Site Scripting
>> for example implemented in Browsers. A stupid idea(as even in open
>> source browsers) would be to change code and disable the code for
>> Cross Site Scripting and Hack. I call it stupid simply because the code is
>> going to be shared object.
>>
>> As a two part to this how are security in browsers implemented is there
>> any
>> documentation for this?
>
> not %100 sure i understand your question - are you asking how CORS (Cross
> Origin Resource Sharing) is implemented?  Cross Site Scripting (xss) is
> something browsers actively mitigate against so I'm a little confused I
> guess.

To sort of clarify this. We have Server Side Code which translates into HTML,
Now You Know the Orgin. Then You use Same Orgin policy within your browse
implementation after that.

> fwiw here's the moz docs on CORS which I think covers how it helps prevent
> XSS attacks while still allowing the browser to run code from multiple
> origins in a sorta-semi-but-probably-not-really-in-practice manner:

This document makes it more difficult to understand basic concepts. It
for Instance
says that XMLHttpRequest used Same Origin policy. But As you said it is not
practical.

> https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
>
> -pete
>
> --
> Pete Wright
> pete at nomadlogic.org
> @nomadlogicLA
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk




More information about the talk mailing list