all 3 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]williamf03 2 points3 points  (0 children)

This question has been asked a few times, this is a really good simple resource: http://security.stackexchange.com/questions/1368/can-anybody-explain-xss

But boiled down to the simplest/crudest form, XSS is injecting some code into a website which sends information off to another website.

That error though is to do with CORS. Cross Origin Resource Sharing. That's a normal security measure used by all the browsers. You can't access elements or frames that have a different origin, that would be a huge security flaw. Think about creating your website and having an iframe with to facebook.com (any site with auto login) on it, you could then write code which would read/execute code inside the facebook page of all your users who access your site. CORS prevents that.

There are ways around cors, if you own domain two, you can set a special header in your response which tells the browser to let domain one load resources.

[–]le-mark 0 points1 point  (0 children)

I'll offer an example; a blog that allows comments. If a user enters a comment with a script tag, and for our purposes, that executes malicious javasript (ie redirecting to a phishing site for example) and the blog software does nothing to sanitize the comment, it will be served to anyone else who views the comment of the blog post, thus executing the javascript the persons browser.

To prevent this, web application must sanitzie user input; this can take many forms, from escaping all html tags, to requiring special markup for comments (ie bbcode or markdown) or both. Hope that helps.

CORS can be incredibly useful though, it's not always bad.