Js] CSSHttpRequest - The new kid on the block

October 5, 2009 - 17:36 CEST - Tags: security xss jsonp css I just read about CSSHttpRequest (or AJACSS as it's also know) - a new way to do cross domain request like JSONp, but without using dynamic javascript tags.

It's described pretty well here. Basically it's using dynamic CSS-tags (<link>), to load data. The data is URL encoded and delivered as a part of a background url definition like this:
#c0{background:url(data:,Loaded%20through%20CSSHttpRequest%20at%20%3A1919%3A1010%3A5151%20Europe%2FBerlin);}
To load the data you include the CSSHttpRequest-script, and add the following javascript:
CSSHttpRequest.get("url to css wrapped data", callback);
The callback function has to take one parameter which is the data received from the URL.

function callback(data) {
  // do something with data
}

At first glance - apart from being a hack - this sounds like a better solution than JSONp, because you can't do much evil with a CSS, especially as CSSHttpRequest is sandboxing the CSS so it will not affect the page. However I'm still wondering if it will be possible to use the CSS expression() function in IE to somehow execute code. Does anybody know?

Submit

0 comment(s) | Permalink | | This entry has been viewed 1059 time(s).

Add comment:

Spam will be deleted.

About Erlend

I'm a senior consultant at Bekk Consulting AS. This blog is about software development, with a special focus on security.

Follow me on twitter

31.08	[Security] Rails 3.0 and XSS-protection
6.07	[Security] Avoiding NoSQL-injection with MongoDB
27.06	[Security] NOSQL-injection
7.06	[.NET] Microsoft Pex - exploratory testing
18.05	[Security] Security podcasts