They don't have to use ajax. They can load an image with an arbitrary url and pa... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cousin_it on Feb 4, 2013 \| parent \| context \| favorite \| on: Hello Firefox, this is Chrome calling They don't have to use ajax. They can load an image with an arbitrary url and pass the keypress data in the url parameters, or dynamically create a script tag, or create an iframe and submit a form in it, etc. The script tag method also lets them get data back from the remote endpoint, if the remote endpoint is kind enough to encode it as JSONP.

marcusf on Feb 4, 2013 [–]

I think he's referring to a hostile script trying to bind to keydown -- usually you shove the banners in iframes to limit this possibility when you include external untrusted content. I assume the same holds true here, though.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact