The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Because JavaScript is being used to transmit data, rather than pure code, the

possibility arises for a malicious web site to exploit the same origin policy’s

handling of JavaScript and gain access to data generated by other applications.

This attack involves an XSRF request, as described previously. However, in the

present case, it may be possible for the malicious site to read the data returned

in the cross-site response, thereby performing two-way interaction with the

target application.

Of course, it is not possible for a malicious web site to simply load a script

from a different domain and view its contents. That would still violate the

same origin policy, regardless of whether the response in question contains

JavaScript or other content. Rather, the malicious web site uses a