Home/ Questions/Q 6816345
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T20:54:52+00:00

I’ve recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses

  • 0

I’ve recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses:

Browsers prevent pages of one domain from reading pages in other domains. But they do not prevent pages of a domain from referencing resources in other domains. In particular, they allow images to be rendered from other domains and scripts to be executed from other domains. An included script doesn’t have its own security context. It runs in the security context of the page that included it. For example, if http://www.evil.example.com includes a script hosted on http://www.google.com then that script runs in the evil context not in the google context. So any user data in that script will “leak.”

I fail to see what kind of security problems this creates in practice. I understand XSS and XSRF but XSSI is a little mysterious to me.

Can anybody sketch an exploit based on XSSI?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is typically a problem if you are using JSONP to transfer data. Consider a website consisting of a domain A that loads data from domain B. The user has to be authenticated to site A and B, and because the Same Origin Policy prevents older browsers from communicating directly with a different domain (B) than the current page (A), the developers decided to use JSONP. So site A includes a script pointing to http://B/userdata.js which is something like:

    displayMySecretData({"secret":"this is very secret", ...})

    So A defines a function called displayMySecretData, and when the included script from server B runs, it calls that function and displays the secret data to the user.

    Now evil server E comes along. It sees that A is including data from B using JSONP. So server E includes the same script, but defines its own displayMySecretData which instead steals the data.
    The attacker then tricks the user into visiting his site. When the user goes there and he is logged in to B, the browser automatically sends the authentication cookies for B along with the request to fetch the script from B. B sees an authenticated user, and thus returns the script as expected. E gets the data, and presto…

    Using JSONP to load confidential data from a different domain this way is thus really insecure, but people are still using it. Bad idea!

    • 0