4 {{ upvoteCount | shortNum }}
4 {{ upvoteCount | shortNum }}

Is this really a security no-no?

by Ghalt
3 replies
  • WEB DESIGN
    • |
I had developed a site in Wordpress, including a gallery. It was a site to show off a new waterfront rental home for sale. (People could buy it to use as a rental.)

Then the guy who owned that site wanted a couple of static pages to also go up on another site that deals with rentals.

I created the static pages, and left the scripts in place that handle the gallery since they called the original site, and will work just fine.

I know that generally speaking calling scripts from another site is frowned upon. I thought it was because of bandwidth consumption. I thought it would be OK in this instance since the site the scripts are calling to are part of the original wordpress site...the guy would be OK with letting the second site call it.

But the guy that hosts the second site (the rental site) doesn't want to put the static pages up because he says that it's "cross-site scripting" and is a security violation and that alot of browsers will block it.

Is that true? Or if both sites are co-operating, and bandwidth sharing isn't an issue, is it really a problem?

Should I ask this guy to just put the pages up anyway since both sites are related?
#nono #security
  • Profile picture of the author Technista
    Originally Posted by Ghalt View Post

    Should I ask this guy to just put the pages up anyway since both sites are related?
    Good luck with that. You know the sites are related, but the 2nd host seems reluctant to put himself at "risk", whether it is real or perceived.

    Would it be worth your while to duplicate the gallery instead of embedding it? You achieve the same result and everyone is satisfied.

    T
    Signature
    Atlanta Website Design
    {{ DiscussionBoard.errors[2279624].message }}
  • Profile picture of the author waitstate
    You're putting yourself at risk from man-in-the-middle attacks whereby naughty types can replace your scripting with something of their own. Additionally, various software looks out for cross-site scripting and refuses to load it, assuming that it's naughty...so you'll be losing visitors.

    Best not to do it. You may know it's benign, but nobody else would trust it, if detected. The odds are high that scripting called from somewhere else is not a good thing.
    Signature
    Free Wordpress Templates
    {{ DiscussionBoard.errors[2280192].message }}
  • Profile picture of the author alexievici
    Depends on how you're "calling" your scripts:

    - include(require) from PHP, that's a BIG no-no, browsers won't see that and can't block it (it's server-side);
    - file_get_contents (curl,fsockopen,etc) that's not such a BIG security risk, because you're fetching only the content like a normal browser would do, browsers can't block this neither;
    - javascript/iframe/etc no potential security risk since you're using client functions and browsers are handling all the security, yes browsers might block this
    {{ DiscussionBoard.errors[2280577].message }}

Trending Topics