Re^2: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain)

then whoever owns that page gains the ability to run arbitrary scripts in your own domain's browser context

maybe, if the browser is configured to allow this

Comment on Re^2: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain)

Replies are listed 'Best First'.
Re^3: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain) by wrog (Friar) on Jun 08, 2013 at 05:33 UTC
Actually no. If one interprets "ability to run scripts in your domain's browser context" to include the case where where your domain's browser context is explicitly broken so as to not allow scripts to actually do anything (i.e., not even execute any instructions), then it's still the case that everything your code can do, their code can do; it's just that since your code can no longer do anything, neither can theirs,… … which, I suppose, is one way to achieve absolute security, but not terribly useful if you actually wanted to do anything in javascript.	[reply]
Re^4: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain) by Anonymous Monk on Jun 08, 2013 at 09:46 UTC
Actually no. .... According to what? Using what browser?	[reply]
Re^5: CGI::Ajax. Getting content of second.html file to resultant div of one.pl (same/cross domain) by wrog (Friar) on Jun 09, 2013 at 07:43 UTC
any browser that allows you to mess with the DOM of the page via javascript, any browser for which CGI::Ajax is going to work at all (the premise of this discussion). If you can add elements, you can add script elements. And there's no way the browser can distinguish between script elements your javascript is generating out of whole cloth vs script elements that are being blindly copied from some other site	[reply]