316 Part II: Developing an Ajax Library^
NNOT EOTE HttpOnly does help prevent the ability to look at document.cookie and getting the value;
however, if XHRs are employed at any time, they may view headers like Set-Cookie, given
they have access to ALL response headers.Cross-site scripting attacks aren’t limited to stealing cookies. Anything undesirable
that is prevented by the same-origin policy could happen. For example, the script could
just have easily snooped on the user’s keypresses and sent them to http://www.evilsite.com.
The same-origin policy doesn’t apply here: the browser has no way of knowing that
http://www.example.com didn’t intend for the script to appear in the page. So let’s see what a
hacker might do if they were really interested in messing with an Ajax application.XHR Hijacking with XSS
As a dynamic prototype-based scripting language, JavaScript is quite powerful; in fact, you
can fundamentally change the way built-in objects act. For example, if you desired to add aFIGURE 7-10 Escaping output signifi cantly reduces the chance of XSS.