DIY Widgets: XSS components to other sites
Written by on November 22nd, 2006 in Ajax News.
Dr Nic Williams has written up a piece on how to embed your components on another site using a XSS approach instead of an iframe one.
The tutorial goes though:
The user will load up the webpage (e.g. Ajaxian mock page) that has a small <script src=”http://yoursite.com/magic_xss.js”></script> snippet in it [2]. When the page is loaded, the magic_xss.js file is loaded too. The user doesn’t know nor care.
When the magic_xss.js file is loaded it will do a couple of things:
- Install any stylesheets it needs
- Insert an empty, invisible HTML element into the page (e.g. <div id=”my_magic_xss” />).
- Read in any variables (e.g. Google Adsense requires the website owner to specify a number of variables, such as google_ad_format)
- Fetch any additional Javascript files or data. This is where even more dynamic magic can be performed. When requesting the additional data, you could pass back the current document’s URL or the current users’s IP address, and the webserver could return data that is relevant to that URL or IP address/geographic location. Clever, eh.
- Insert new HTML into the #my_magic_xss element based on the data that is returned from your own server. Your server - not the host website’s server.
Evan points out that: “Foreign-site iframe contents can’t be manipulated by the Javascript of the enclosing frame (at least, without special callbacks in the iframe itself). This gives Google a bit more control over the ad box, especially over the presentation, which will not be affected either by host site CSS or by Javascript attribute assignment.”
Source: Ajaxian
Original Article: http://ajaxian.com/archives/diy-widgets-xss-components-to-other-sites