Archive

Posts Tagged ‘cross domain scripting’

Cross domain Scripting comes to haunt again

March 6th, 2011 No comments

In my last posts I had talked about Cross domain scripting issue with Firefox and how to solve cross domain scripting issues on tomcat

But looks like the issue has not been completely resolved. I have used the CORS filter solution as we are working on tomcat but have some problems in exception scenarios

Problem Statement:

I am trying to make a call to a REST service and trying to catch an 404 or 200 condition returned by REST and show an appropriate message to user based on error code.

My url in browser is http://localhost:8080/myapp/test.html

The code inside is

<html>
<head>
<script type=”text/javascript” charset=”utf-8″ src=”json2.js”></script>
<script type=”text/javascript” charset=”utf-8″ src=”jquery-1.4.4.min.js”></script>
<script>

function invokeFunction()
{

var myService = null;
if (window.XMLHttpRequest) //for mozilla
{
myService = new XMLHttpRequest();

if ( typeof myService.overrideMimeType != ‘undefined’)
myService.overrideMimeType(‘application/json’);
}
else if (window.ActiveXObject) //for IE
{
myService = new ActiveXObject(“Microsoft.XMLHTTP”);
}

var serviceUrl = “http://127.0.0.1:8080/myapp/webresources/user/1111“; Read more…

Categories: Uncategorized Tags:

Cross Domain scripting settings on Tomcat

February 23rd, 2011 3 comments

In last post we had explained how to configure Apache to allow cross domain scripting. details can be found here

Cross domain Scripting problem with XmlHttp

If you do not plan to use Apache and for some reasons using tomcat or any other similar web container which supports filter, here is a ready made solution, Cors Filter

This gives you a servlet filter which is compatible with any Java Servlet 2.5+ web container.

Installation is very simple. Add the jar to your libraries

In you web.xml

add this line

<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>CORS</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

And you are all set

Categories: Uncategorized Tags:

Adding Access-Control-Allow-Origin to server for Cross domain scripting

February 4th, 2011 1 comment

Cross domain scripting would be such a big issue especially in year 2011, I never imagined. What I had envisioned to be a small problem turned out to be much bigger and complicated than I thought.

Let us go over the problem statement first

I have application 1 http://www.skill-guru.com making a json request to http://ww.geekevalaution.com.

While it works in IE(I was working with IE6) , it will fail in Firefox (I was using FF 3.6)

From Mozilla docs

Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request.  For instance, a resource loaded from Domain A (http://domaina.example) such as an HTML web page, makes a request for a resource on Domain B (http://domainb.foo), such as an image, using the img element (http://domainb.foo/image.jpg).  This occurs very commonly on the web today — pages load a number of resources in a cross-site manner, including CSS stylesheets, images and scripts, and other resources.

Or another example

http:/127.0.0.1:8080/myservice  making call to http:/127.0.0.1:8090/myservice2

will also be not allowed in FF because even on same server and different port number , it considers it cross domain scripting. Read more…

Categories: Uncategorized Tags:

Tomcat 7 introduces cross site scripting

January 28th, 2011 1 comment

Good news for those of you who had been waiting on Tomcat 7. A stable release has been announced for Tomcat 7. There has been another feature which has made its way into Tomcat 7 and has been back ported into earlier versions of tomcat and that is cross domain scripting

We had talked  in details about cross domain scripting issues and how to fix it. Developers should be careful when using cross domain scripting.

Mark Thomas, SpringSource Employee and member of the Apache Security Committee, shares some of the insight behind the new cross-site script (XSS) protection feature introduced into Tomcat 7, 6 and 5 through this latest release effort.

In describing the problem, Mark explains:

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM’s DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

To address this threat, a few cross-site scripting issues have been fixed in Tomcat 7. The ASF has used an unofficial, yet widely supported, extension to the Cookie specifications – httpOnly cookies. Read more…

Categories: Uncategorized Tags: