September 25

Cross domain POST without security

Posted by Juan . Filed under Research | 1 Comment

I would have bet that browsers imposed restrictions against this… but seems that they do not.

Check the following question from Webmasters @ StackExchange: Can I do a non-hostile cross-domain POST now?

And seems it is totally feasible:

<html>
    <body>
        <form method="POST" action="http://www.automatumvitae.com/testPostReceiver.php">
            <input type="text" name="text" />
            <input type="submit" />
        </form>
    </body>
</body>

<html>
    <body>
        <p><?php
            if (isset($_POST['text'])) {
                $text = htmlspecialchars($_POST['text']);
                echo "Succeded! Submitted value: $text";
            } else {
                echo "Didn't receive anything. :(";
            }
        ?></p>
    </body>
</body>

You can actually try this out at http://www.alphasmanifesto.com/tests/testPostSender.php

Bookmark and Share

Related posts:

This entry was posted on Sunday, September 25th, 2011 at 19:00 and is filed under Research. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.

One Response to “Cross domain POST without security”

  1. Misceláneos del fin de semana | Alpha's Manifesto on September 26th, 2011 at 00:08

    [...] Hice un pequeño post sobre Cross Domain POST Requests. Aparentemente no hay nada que los detenga de ocurrir. Si bien eso no es noticia, me pregunto por qué hay problema con Cross Site Ajax Requests y no con esto. El post y una pequeña prueba están aquí. [...]

Leave a Reply