Well, I guess the title of this post is a *bit* unfair, but it's close enough for me. First some background. I'm studying cross site scripting right now for my final independent study at school. As part of this I'm messing around with a book on AJAX to learn more about javascript and how this whole Web 2.0 booya works. Tonight I'm banging on one of the early examples in the book. I created the HTML and javascript files on my local machine and hit them via Firefox. The javascript makes an XMLHttpRequest to the author's web site since there is almost zero info on server side code in the book. Firebug immediately starts complaining to me with "Permission denied to call method XMLHttpRequest.open". What the heck?? Time to troll google.
Sure enough, I find some answers the the issue. The problem is that I am running the files at http://localhost/foo.html and the XMLHttpRequest is calling http://authors.website.com/his/webservice to get some AJAXy result back. Firefox looks at this and decides that isn't cool at all and blocks the request. Hurray for the Firefox team. I like it that they thought of this. However, now what am I supposed to do? I don't have the server side code and while I could toss this on my public server, I'd really rather not. Back to google. Maybe there's a hack for this...
Well, sure enough there is. I found this post on Google Groups with details on how to work around the issue. Here's what the post has to say. Find user.js inside your firefox profile. If it's not there, create it. Open it up and add the following three lines to it:
user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open","allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");
One problem, it allows any file running at localhost to call any other site in the background via XMLHttpRequest. From what I can see I have now configured Firefox to be much more open to XSS. So I'm just going to move this file out of my profile and shut firefox down whenever I'm done studying. I'm not frustrated at Firefox at all in this. I just wish I had the source to the server code used in the book so I could run through things without asking to get pwn3d. *sigh*
Wednesday, June 27, 2007
Thursday, June 14, 2007
Darpa Robot Project
Here's an interesting DARPA project someone threw out in IRC today. It looks a lot like what I did but a WHOLE lot smaller. The military can throw out a number of these things and build a communications network on the fly in a battle zone using wifi. I hope they use better encryption methods than the current public uses, but it still is a cool idea. It is also similar to a project that was done for urban search and rescue. Send out a team of robots, build some kind of mesh network and guide rescuers through the burning building or whatever.
The robots being proposed by DARPA are surprisingly inexpensive at about $100 each. I figured they would cost a lot more. One thing that made me laugh from the article on The Register. DARPA admits "it is expected that power will be a challenging design requirement". No way!!! Really??
Subscribe to:
Comments (Atom)