Re: Delivering on talk

From: Jean-Luc Cooke (jlcooke_at_lager.engsoc.carleton.ca)
Date: 12/31/03 

Date: 31 Dec 2003 02:41:48 GMT

Paul Rubin <http://phr.cx@nospam.invalid> wrote:
> That's a cute idea. You could even have some Javascript that
> generates an 1x1 image tag pointing to a url on your site, where the
> cookie contents get encoded into the url. That means you get the
> cookie data directly without needing cross-site scripting and without
> needing the other server operator to gather data and send it to you.

This is effectively what I've done. Only you can't do any client-side
work in an image.

All JavaScript is stored on the md5-crack server.

What participants add to their page (may change later):
<!-- try IFRAME, else use LAYER -->
<IFRAME SRC="http://www.jlcooke.ca/psearch/dmd5l.php" SCROLLING="NO" FRAMEBORDER="0" WIDTH="100" HEIGHT="32">
 <LAYER SRC="http://www.jlcooke.ca/psearch/dmd5l.php" WIDTH="100" HEIGHT="32" CLIP="0,0,100,32"></LAYER>
</IFRAME>

As you see, there is no cross-site scripting. The SRC= page can change
(code updates!) any everyone in the world is updated as well.

And the thought of a 1x1 footprint was also on my mind, but since IFRAME
and LAYER tags in HTML support a simple way to make them completely
invisible, this is even more ideal than I suspected. :)

<!-- try IFRAME, else use LAYER -->
<IFRAME SRC="http://www.jlcooke.ca/psearch/dmd5l.php" STYLE="visibility:hidden;">
 <LAYER SRC="http://www.jlcooke.ca/psearch/dmd5l.php" VISIBILITY="HIDDEN"></LAYER>
</IFRAME>

Things a little slower these days, I should have Linux-x86 and Win32-x86
executables with service scripts/loaders ready soon. 

--