Hi browser-junkies,
> I suspect that when the webbrowser gets a hold of the XmlHttp
> object, it will enforce its security rules, regardless of
> whether the object was created from script or not. But I'm
> not sure, it's worth looking into.
Here's what I've found out:
If we make a simple factory method for XmlHttp that you can use like this
var factory = new ActiveXObject("DQSD.UnsafeCreator");
var request = factory.UnsafeCreateObject("Microsoft.XmlHttp");
the whole zone-based permission check is omitted, or so it seems. An
XmlHttpRequest instance created by our unsafe creator can be used for remote
GET-requests, while one created directly with new ActiveXObject cannot.
This is good, because we have a simple way of using XmlHttp. However, it's
bad because anyone can use our UnsafeCreator to instantiate XmlHttp without
security ramifications.
So, does anyone have ideas for how to make this more secure?
Thanks,
- Kim
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Archive: https://lists.sourceforge.net/lists/listinfo/dqsd-devel
