[Purdue-pm] XSS and Firefox 2.0

David Jacoby jacoby at csociety.ecn.purdue.edu
Wed Nov 15 09:20:37 PST 2006


Just did a test. I changed my code to do the Ajax.get on a
URL with an absolute path on csociety.org.

    http://csociety.org/~jacoby/Code/AJAX/small_ff20.html

Thing is csociety.org is also pm.purdue.org, so if we call
the same page on another server

    http://pm.purdue.org/~jacoby/Code/AJAX/small_ff20.html

You'll see it flakes. And yes, in afterthought it might be
nice to have a better failure mode for this example code,
like "information not found", but I'll beat myself up about
this later.

Interestingly, it used to work on IE 6, but it does not on
IE 7.

-- 
Dave Jacoby    jacoby at csociety.org

  setenv EDITOR /usr/bin/vi



More information about the Purdue-pm mailing list