Hacker News new | past | comments | ask | show | jobs | submit login

Wouldn't that be blocked by cross-site AJAX restrictions? Or are we talking about injecting <img> and <script> tags into the document?



The latter, or maybe iframes.


No, it wouldn't. With AJAX, the request always goes out, and is received and processed by the server if they choose to (most never check the request origin).

Then, the server can decide whether or not to attach cross origin resource sharing headers to the response. If those headers exist, the response is exposed to JavaScript. If not, they are swallowed by the browser.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: