If you do not know the answer, thumbs up.
function local_upload_photo(form_data)
{
var boundary = "-----------------------------" + (new Date).getTime();
var CRLF = "\r\n";
var parts = [];
for(var i in form_data)
{
if(form_data.hasOwnProperty(i))
{
var part = 'Content-Disposition: form-data; name="' + i + '"' + CRLF + CRLF + form_data[i] + CRLF;
parts.push(part);
}
}
var data = base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQImWNgYGAAAAAEAAGjChXjAAAAAElFTkSuQmCC');
var part = 'Content-Disposition: form-data; name="file1"; filename="me.gif"' + CRLF + "Content-Type: image/gif" + CRLF + CRLF + data + CRLF;
parts.push(part);
var request = 'Content-Type: multipart/form-data; boundary=' + boundary + CRLF + CRLF;
request += "--" + boundary + CRLF;
request += parts.join("--" + boundary + CRLF);
request += "--" + boundary + "--" + CRLF;
var xhr = new XMLHttpRequest();
xhr.open('post', 'http://upload.guy.com/storage.php');
xhr.setRequestHeader('Content-Type', 'multipart/form-data; boundary=' + boundary);
xhr.setRequestHeader('Content-Length', String(request.length));
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
console.log(xhr.responseText);
}
};
xhr.sendAsBinary(request);
}
Story: The user comes to guy.ltand runs the JS code that he sets in the URL string using javascript:. This should load the file that you see in base64before storage.guy.lt. However, the same policy of origin kicks in here and does not allow this. One solution would be to simply ask people to do the same on storage.guy.lt or just move upload guy.lt, however the client disagrees.
, - Facebook. , FB , , facebook.com, POST ( XMLHttpRequest, AFAIK) uploads.facebook.com. ?
iframe http://static.ak.facebook.com/common/redirectiframe.html :
if (navigator && navigator.userAgent && !(parseInt((/Gecko\/([0-9]+)/.exec(navigator.userAgent) || []).pop()) <= 20060508)) {
//document.domain='facebook.com';
}
, , , .