: Is this document write of content fetched from another site cross site scripting or something different? This was on a website I had to work on. It seems to me its a horrible idea, but I

@Murray432

I think that since the example is using an AJAX request to get and load the PHP file, the cookies from the PHP file are loaded on the same domain, which gives the cookies loaded via the external PHP file access to the cookies on the local site.

Since the JS calls the cross-domain PHP file in the browser, it should be blocked by the Same-Origin Policy. If the CORS Headers on the PHP file are set to allow, it will break the Same-Origin Policy to load the PHP file. The JS could then pass the cookies from the local site to the external PHP script.

Lots of good information in this answer:
stackoverflow.com/a/17299796/8600052

Vote Up Vote Down

@Frith620

Technically you can say it is a cross site scripting but this is not an attack or a hole for one to attack through since nothing the user entered is used to change what is inserted.

What the code is doing is inserting the result obtained from the other domain int a div on the current domain. There is an implication of trust here, meaning that what is returned by otherdomain.com from magic_php_file.php is good to insert into the div with id #div .

One can imagine this was done to load advertising or other embedded content. This is not entirely different than using Google Adsense for example: Google gives you a script to insert into your HTML which loads another script from a Google domain and executes on your page.

Vote Up Vote Down