On Mon, Dec 2, 2013 at 7:43 PM, Egor Homakov <[email protected]> wrote:
I am trying to imagine "dynamically generated public JavaScript" but
> nothing comes to my mind.
>
This is an old trick.
Your service provides a small JavaScript snippet for hosting sites to
embed. The snippet generates a SCRIPT tag in the hosting DOM whose creation
triggers a (GET) request to fetch JavaScript from the central service, in
the provider's domain. That as you know is not subjected to the same-origin
policy, hence the technique.
See for example the snippet of Disqus:
http://disqus.com/admin/universalcode/
The response contains JavaScript, whose evaluation injects content in the
host page.
The user browsing the hosting website is not a user of the service
provider, users may not even realize there is a centralized service
providing that section of the page.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.
