Prev: image size onload in IE
Next: How to create / map short-cut to some presentation features?
From: dhtml on 16 Feb 2010 21:55
On Feb 15, 4:53 pm, "dino d." <dinodorr...(a)yahoo.com> wrote:
> > Any script resource can
> > be referred to from any document (which is what powers Google Analytics,
> > Google Maps, aso.).
>
> > If you look more closely, you will observe that this script simply causes a
> > SCRIPT element to be inserted (in an expectedly stupid way, though, it is
> > the `</' that would need to be escaped, not the `<script>' or the
> > `</script>').
>

Whoops looks like I submitted the wrong message (empty) not the reply
I typed. Againn....

That was right advice and is included in the code guidelines doc that
I will update soon with new comments from kangax.

Problems with ReCaptcha:
* Tends to break kbd a11y by messing up tab index order. This is a
real problem with laptop users who are stuck with a trackpad.
* hard for humans to read. ReCaptcha creates usability problems with
hard-to-read, obscure words.
* requires javascript, provides no fallback. This violates WCAG and
Section 508.

From: dino d. on 19 Feb 2010 09:55
I found the answer to my question- You cannot do an ajax call this
way - You can accomplish updating a widget by adding a javascript
element to the DOM, whose src is your widget server, which then can
modify your widget. You can see a good writeup here:

http://www.ibm.com/developerworks/library/x-ajaxsecurity.html

Dino


On Feb 15, 4:37 pm, "dino d." <dinodorr...(a)yahoo.com> wrote:
> hi - i'm building widget, and i'd like the user to be able to request
> a new widget by clicking an ajax link in the widget itself.  it
> doesn't work, and i presume it's because of the built in xss
> protection in browsers (to prove this to myself, i placed an html file
> that contains the widget in the public directory of the widget server,
> and this works fine).
>
> however,recaptchahas managed to work around this, you add some
> javascript to your page, and that javascript writes a captcha widget
> into your form.  in that widget, there is a 'request a new challenge'
> link which works fine. it does exactly what i'm trying to do.  - it
> goes to therecaptchaserver, renders a new widget, and replaces the
> div of the widget, even though the page and the widget are from
> different domains.
>
> now, going through the code, they're doing something weird- the actual
> code that you put in your web page looks like this:
>
> var RecaptchaState = {
>     ... //several variables
>     programming_error : '',
>     is_incorrect : false
>
> };
>
> document.write('<scr'+'ipt type="text/javascript" s'+'rc="' +
> RecaptchaState.server + 'js/recaptcha.js"></scr'+'ipt>');
> (function() {
>     var _recaptcha = document.createElement('script');
>     _recaptcha.type = 'text/javascript';
>     _recaptcha.async = true;
>     _recaptcha.src = (document.location.protocol == 'https:' ?
> 'https' : 'http') + '://www.google.com/recaptcha/api/challenge?
> k=asdfasdfasdf (your key) &darklaunch=1'; //i've removed my key here
>     (document.getElementsByTagName('head')[0] ||
> document.getElementsByTagName('body')[0]).appendChild(_recaptcha);
>
> })();
>
> somehow, this is tricking the browser into thinking that the widget is
> the same source as the web site that is embedding it?
>
> before i dig any deeper, does anyone know how to get around XSS
> security precautions the wayrecaptchadoes?
>
> thanks,
> dino

First  |  Prev  | 
Pages: 1 2
Prev: image size onload in IE
Next: How to create / map short-cut to some presentation features?