Databases
StackOverflow2013
Postsdbo
POWhy is cross-domain scripting possible for local files on a mobile device?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhy is cross-domain scripting possible for local files on a mobile device?
    text
    copied!<h2>What I did:</h2> <p>I created a index.html with a xss.js, which calls the jQuery.get() function. Then I've opened the index.html in a browser (Firefox, Chrome, IE and Opera) and tried to trigger the ajax request.</p> <h2>The Code</h2> <p>Here is my index.html:</p> <pre><code>&lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8" /&gt; &lt;title&gt;XSS&lt;/title&gt; &lt;script src="libs/js/jquery-1.7.2.js" &gt;&lt;/script&gt; &lt;/head&gt; &lt;body&gt; &lt;button id="request" &gt;fire&lt;/button&gt; &lt;script src="libs/js/xss.js" &gt;&lt;/script&gt; &lt;/body&gt; &lt;/html&gt; </code></pre> <p>and my xss.js:</p> <pre><code>function init() { $('#request').click(loadContent); } function loadContent() { $.get('http://www.example.com/', null, function(data){ alert('success'); $('body').html(data); }, 'html'); } init(); </code></pre> <p>If I open the <code>index.html</code> within a browser (<code>file:///C:/workspace/xss%20test/index.html</code>), I get the following responses after clicking the button:</p> <ul> <li><p><strong>Firefox</strong>: no error code (<code>HTTP/1.1 200 OK</code>), but the answer is empty</p></li> <li><p><strong>IE</strong>: no answer</p></li> <li><p><strong>Chrome</strong>: <code>XMLHttpRequest cannot load http://www.example.com/. Origin null is not allowed by Access-Control-Allow-Origin.</code></p></li> <li><p><strong>Opera</strong>: no error code (<code>HTTP/1.1 200 OK</code>) and the complete html file as answer, but nothing will be displayed (the success callback is not being triggered)</p></li> </ul> <p>This code will load the <code>index.html</code> into my Android WebView:</p> <pre><code>public class MainActivity extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); WebView webview = (WebView) findViewById(R.id.webview); webview.getSettings().setJavaScriptEnabled(true); webview.setWebChromeClient(new WebChromeClient()); webview.setWebViewClient(new WebViewClient()); webview.loadUrl("file:///android_asset/www/index.html"); } } </code></pre> <p>calls the success callback and also displays the content of <code>www.example.com</code> in the body of my <code>index.html</code> file, after the button is triggered.</p> <p><em>(The same is possible on iPhone devices - I haven't tested this on Windows Phone devices)</em>.</p> <h2>tl;dr - The Question:</h2> <p>Why is it possible to load content from a remote server to my mobile device - isn't this a case of cross-domain scripting or am I missing something?</p> <blockquote> <p>Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.</p> </blockquote> <p><strong>Also:</strong> Why does Opera receive an answer but does not display anything?</p> <p>Thanks in advance.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload