All geek questions in one place

Why is it possible to use cross-domain scripts for local files on a mobile device?

What I've done:

I created index.html with xss.js, which calls the jQuery.get () function. Then I opened index.html in a browser (Firefox, Chrome, IE and Opera) and tried to call the ajax request.

Code

Here is my index.html:

<!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>XSS</title> <script src="libs/js/jquery-1.7.2.js" ></script> </head> <body> <button id="request" >fire</button> <script src="libs/js/xss.js" ></script> </body> </html>

and my xss.js:

 function init() { $('#request').click(loadContent); } function loadContent() { $.get('http://www.example.com/', null, function(data){ alert('success'); $('body').html(data); }, 'html'); } init();

If I open index.html in a browser ( file:///C:/workspace/xss%20test/index.html ), after clicking the button I get the following answers:

  • Firefox : no error code ( HTTP/1.1 200 OK ), but the answer is empty

  • IE : no answer

  • Chrome : XMLHttpRequest cannot load http://www.example.com/. Origin null is not allowed by Access-Control-Allow-Origin. XMLHttpRequest cannot load http://www.example.com/. Origin null is not allowed by Access-Control-Allow-Origin.

  • Opera : error code ( HTTP/1.1 200 OK ) and the full html file as an answer, but nothing will be displayed (success callback does not start)

This code will load index.html into my Android WebView:

 public class MainActivity extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); WebView webview = (WebView) findViewById(R.id.webview); webview.getSettings().setJavaScriptEnabled(true); webview.setWebChromeClient(new WebChromeClient()); webview.setWebViewClient(new WebViewClient()); webview.loadUrl("file:///android_asset/www/index.html"); } }

calls the success callback and also displays the contents of www.example.com in the body of my index.html file after the button starts.

(The same is possible on iPhone devices - I have not tested this on Windows Phone devices).

tl; dr - Question:

Why can I download content from a remote server to my mobile device - is this not a cross-domain script or am I missing something?

Due to browser security restrictions, most Ajax requests are subject to the same origin policy; The request cannot successfully retrieve data from another domain, subdomain, or protocol.

Also: Why does Opera get a response but doesn't display anything?

Thanks in advance.

+4
source share
1 answer

In fact, your code does not work in mobile browsers, including ICS and Chrome on Android, as well as Safari on the iPhone. However, what you showed does not load the html file in the browser - it loads it in the WebView - a completely different animal.

WebView or Webkit is just a user interface widget that implements browser functions. They are not browsers. They don’t provide things like a regular Chrome browser, and by default they have very liberal security models compared to browsers. Although you can add code to implement things like policies with the same source, etc., if you want.

This is not only on mobile devices. Try creating a Webkit application on your desktop and you will see the same thing.

I believe the reason for this is that WebViews and Webkits are supposed to be used to display content that you control 100% of. Unlike browsers, where users can enter any URL in the address bar. Therefore, you entrust the veterinary weather to the things that you download are safe or not.

+6
source

Source: https://habr.com/ru/post/1446519/

More articles:


All Articles