Thats correct, those attempts will be treated as XSS and I don't think you can get ride of it so easily. But, there's a nice workaround that you can see being used by Google to authenticate users cross-domainly over their services. Adaptating it to your situation, it would do something like this: Domain A submit data to domain B via iframe, not expecting to have access to the answer Domain B in answer, tells the browser that it is being redirected back to domain A, page /handle.
Php? Data=some encrypted data which server A can decrypt with a password only your system know Domain A now knows what came from B, and can tell user's browser what do do with it Recomendations about this encrypted data: First bytes should be a checksum. Even if hackers can't decode it, they can push erroneous data to your server by editing the request dumbly.
The data shall also bring an unique ID and possibly a expiration date of 1 or 2 minutes, so it can't be submited twice or recorded to be submitted in a different time.
Thats correct, those attempts will be treated as XSS and I don't think you can get ride of it so easily. But, there's a nice workaround that you can see being used by Google to authenticate users cross-domainly over their services. Adaptating it to your situation, it would do something like this: Domain A submit data to domain B via iframe, not expecting to have access to the answer.
Domain B in answer, tells the browser that it is being redirected back to domain A, page /handle. Php? Data=some encrypted data which server A can decrypt with a password only your system know Domain A now knows what came from B, and can tell user's browser what do do with it.
Recomendations about this encrypted data: First bytes should be a checksum. Even if hackers can't decode it, they can push erroneous data to your server by editing the request dumbly. The data shall also bring an unique ID and possibly a expiration date of 1 or 2 minutes, so it can't be submited twice or recorded to be submitted in a different time.
At this point I have no admin/server access to the personal.work. Org site and were I to request any access, it would be just to get the data server-side. I was hoping ajax would actually offer a safer solution in the sense that the user was authenticated and only getting their own info.
– Anthony Sep 11 '09 at 1:59 If the server is not yours and you can't make it behaves the way you need, so I'm sorry to say you can't do what you want. It would be a major security hole if it were possible. – Havenard Sep 11 '09 at 2:19 Why server A can't cURL it?
If it really can't, can a server "C" hosted somewhere else do it? Or maybe cURL via proxy? Lame workarounds but, still are possibilities.
– Havenard Sep 11 '09 at 2:30 cURL via proxy would be the only option. Unless cURL can be initiated client side. That would be weird and awesome.
– Anthony Sep 11 '09 at 2:46.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.