All geek questions in one place

Crazy need for ENABLE for cross-site scripting

Yes, I need to enable cross-site scripting for internal testing of the application I'm working on. I would use Chrome's disable-xss-auditor or disable-web-security switches, but it looks like they are no longer included in the chrome assembly:

http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc

I am mainly trying to ensure that a javascript application running locally on pages served by Apache (also running locally) is allowed to run scripts from a resource running on another server on our network.

Failed to enable xss for Firefox, Chrome, or my least favorite - IE, will there be a way to start some kind of proxy process to change the headers to allow xss to happen? Any quick way to use Apache modem modification or some of them for this?

Again, this is for testing only. During production, all these scripts are run from the same server, so you don’t even need to sign them, but when developing and testing it is much easier to work only with those parts of the application that you need and do not have to run the rest of the application, which requires Installing a complete application server.

+4
source share
2 answers

You only need a small end-to-end service running on the first server, which transfers requests to the second server and returns the results that it returns from the second server.

You don’t say what language the server side of your application is written in or what data is transferred or returned from your service, so I can’t be more specific, but it really should be 15 lines of code for recording a proxy service.

+3
source

A request is not cross-site scripting (which is a type of security vulnerability in which user input (for example, from a URL) is entered into a page so that third-party scripts can be added via a link).

If you just want to run the script on another server, just use the absolute URI.

<script src="http://example.com/foo.js"></script>

If you need to execute Ajax requests on a remote server, use CORS or start the proxy server in the current source.

Again, this is for testing only.

Just for testing, check out Charles Proxy . The Map Remote function allows you to (transparently) redirect some requests to a remote server (based on URL mapping).

+3
source

Source: https://habr.com/ru/post/1402878/

More articles:


All Articles