0

I have HTML and JavaScript files on my filesystem for a mobile application that is in development. When the application is deployed to a mobile device, these files will be hosted on the local filesystem there, where XSS from file:// is not an issue. An important part of this application is sending XHR POST requests to a RESTful API.

It seems like XSS should not be a security issue for browsers if the files making the request are hosted on a local filesystem instead of deployed to a web server.

Does anyone know of a browser extension or configuration change that will enable XSS from files hosted on a local file system?

Matthew Taylor
  • 3,911
  • 4
  • 29
  • 33

2 Answers2

1

Well, although you will have to change the server and client code a little bit, it isn't very clean and you will have to trust the server, you can load the data as a javascript which contains a call to a function in your page and a big string or so as the parameter. This seems to be a good example.

Alternatively, you could serve the files from a local webserver and fiddle around with the hostsfile and document.domain.

thejh
  • 44,854
  • 16
  • 96
  • 107
  • I'm using JSONP for my GET requests. But this will not work for POST requests. And I beiieve document.domain is read only. I'm trying to avoid setting up my API as a local server and deploying my html/js files onto the same domain. – Matthew Taylor Nov 26 '10 at 17:17
  • But I wonder about messing with the hostsfile... I could deploy a local web server and just serve up my files statically, then change the hosts file to have 127.0.0.1 point to the same hostname as the API I'm trying to POST to. – Matthew Taylor Nov 26 '10 at 17:23
  • @Matthew Taylor: You could give the locally served files the domain `local.actualinstallation.com` (in the hostsfile) and the actual server the domain `actualinstallation.com`. Then set `document.domain="actualinstallation.com"` in the locally served files. – thejh Nov 26 '10 at 19:33
  • So I tried the approach of hosting the files on a local server and changing my hosts file so 127.0.0.1 points to local.example.com. I could not change the document.domain, however, because it is read-only. But I thought it might work just because I would be POSTing to api.example.com, but I still get the same XSS error: XMLHttpRequest cannot load http://api.example.com/restful/url. Origin http://local.example.com is not allowed by Access-Control-Allow-Origin. I guess subdomains don't count as same origin: http://stackoverflow.com/questions/929677/how-exactly-is-the-same-domain-policy-enforced – Matthew Taylor Nov 27 '10 at 16:20
0

I've found a useful link that's helped me execute POST requests from localhost to another domain. It is a Firefox hack that allows XSS from files hosted at localhost. It's not perfect, but it helps me get this thing developed.

Matthew Taylor
  • 3,911
  • 4
  • 29
  • 33