我认为下面的工作没有用,因为我正在尝试XSS,但我尝试执行本地端口重定向来确认,但它仍然无效。有人可以告诉我这是否是XSS,如果没有,为什么它不起作用?
<html>
<div id="output"></div>
<script src="prototype.js" type="text/javascript"></script>
<script type="text/javascript">
function test()
{
this.url = "http://www.google.com"
}
test.prototype.run = function()
{
var request = new Ajax.Request(this.url,
{
method: "get",
onSuccess: this.success.bind(this),
onFailure: function(response) { alert("failure"); }
});
};
test.prototype.success = function(response)
{
var debug = "this.url = " + this.url + ",<br>"
+ " response.status = " + response.status + ",<br>"
+ " response.statusText = " + response.statusText + ",<br>"
+ " response.readyState = " + response.readyState + ",<br>"
+ " response.responseText = " + response.responseText + ",<br>"
+ " response.responseXML = " + response.responseXML + ",<br>"
+ " response.responseJSON = " + response.responseJSON + ",<br>"
+ " response.headerJSON = " + response.headerJSON + ",<br>"
+ " response.request = " + response.request + ",<br>"
+ " response.transport = " + response.transport + ",<br>"
+ " response.transport.readyState = " + response.transport.readyState + ",<br>"
+ " response.transport.responseText = " + response.transport.responseText + ",<br>";
document.getElementById("output").update(debug);
};
new test().run();
</script>
</html>
答案 0 :(得分:3)
它不是XSS(这是攻击Web应用程序的客户端的一种方式),但它只是在这里有效的原始策略。您不能简单地使用来自您自己以外的域的Ajax请求请求数据(您自己的意思是从您的Web应用程序加载的域)。