[jQuery] Re: using load cross site

2007-09-10 Thread Kris Zyp
Here is the JSONP proposal: http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/ Yahoo also uses the same approach (with a different callback parameter): http://developer.yahoo.com/common/json.html And I just released CrossSafe, which lets you securely use JSONP/XSS with callback: http

[jQuery] Re: using load cross site

2007-08-14 Thread Pops
> Here an perfect example. Add this to any web site: > > http://beta.winserver.com/public/ > js/mike.data"> > > alert(mike); /// "Say hello to my little Friend!" > > Sorry, that should be: http://beta.winserver.com/public/js/mike.data";> alert(mike); /// "Say hello to my little

[jQuery] Re: using load cross site

2007-08-14 Thread Pops
On Aug 14, 4:23 am, "Michael Geary" <[EMAIL PROTECTED]> wrote: > Hector, the example URL below is just the JSONP Flickr feed URL. It's not a > complete example, so it doesn't show the cross-site JSON download in action. > > Here are a couple of more complete examples that do a cross-site JSON >

[jQuery] Re: using load cross site

2007-08-14 Thread Michael Geary
Hector, the example URL below is just the JSONP Flickr feed URL. It's not a complete example, so it doesn't show the cross-site JSON download in action. Here are a couple of more complete examples that do a cross-site JSON download of that feed: http://mg.to/test/flickr/jsonp/static.html http:/

[jQuery] Re: using load cross site

2007-08-13 Thread Hector Santos
But Michael, please excuse my ignorance. I'm curious. I have to ask because I still do not see this "JSONP XSS loophole." Isn't this flickr example you showed below is selft containing with the same site I/O? Where is the cross-site logic? Do you have a link to some official or 'proposal' or dra

[jQuery] Re: using load cross site

2007-08-13 Thread Michael Geary
No, you can load *scripts* cross-site with no problem. It's true, a server-side proxy is the only way to do a cross-site Ajax download. But if the information is available in any kind of executable JavaScript format, you can use a script tag or a dynamic script element to download it. That's wh

[jQuery] Re: using load cross site

2007-08-13 Thread Anthony Leboeuf(Worcester Wide Web)
Thanks man got it Matt Stith wrote: The only way around is to use a server-side script as a proxy, as loading scripts cross-site is a security risk, which is why browsers block that out. On 8/13/07, * Anthony Leboeuf(Worcester Wide Web)* <[EMAIL PROTECTED] > wrote:

[jQuery] Re: using load cross site

2007-08-13 Thread Matt Stith
The only way around is to use a server-side script as a proxy, as loading scripts cross-site is a security risk, which is why browsers block that out. On 8/13/07, Anthony Leboeuf(Worcester Wide Web) < [EMAIL PROTECTED]> wrote: > > > Hello, > > I am working on a website for the BBB and need to load