What is Cross Site Script Inclusion (XSSI)?

Question

I\'ve recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses:

Browsers prevent pages of one domain from reading pages

Answer 1

This is typically a problem if you are using JSONP to transfer data. Consider a website consisting of a domain A that loads data from domain B. The user has to be authenticated to site A and B, and because the Same Origin Policy prevents older browsers from communicating directly with a different domain (B) than the current page (A), the developers decided to use JSONP. So site A includes a script pointing to http://B/userdata.js which is something like:

displayMySecretData({"secret":"this is very secret", ...})

So A defines a function called displayMySecretData, and when the included script from server B runs, it calls that function and displays the secret data to the user.

Now evil server E comes along. It sees that A is including data from B using JSONP. So server E includes the same script, but defines its own displayMySecretData which instead steals the data. The attacker then tricks the user into visiting his site. When the user goes there and he is logged in to B, the browser automatically sends the authentication cookies for B along with the request to fetch the script from B. B sees an authenticated user, and thus returns the script as expected. E gets the data, and presto...

Using JSONP to load confidential data from a different domain this way is thus really insecure, but people are still using it. Bad idea!