Simon Willison’s Weblog

Items tagged quora, security, javascript, webdevelopment

Filters: quora × security × javascript × webdevelopment ×


Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?

It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.

[... 105 words]

Why do some websites implement their logout link as a form post via JavaScript versus a plain old GET request?

Probably because if you implement logout as a GET action, I can force you to log out of a site by tricking you in to visiting a page with an <img src="http://yoursite.com/logout/" width="1" height="1"> element on it.

[... 64 words]

Types

Years

Tags