辛淼 Jin

Ref：http://stackoverflow.com/questions/1095102/how-do-i-load-binary-image-data-using-javascript-and-xmlhttprequest Ref：http://emilsblog.lerch.org/2009/07/javascript-hacks-using-xhr-to-load.html // one-time code if ( /msie/ i . test ( navigator . userAgent ) && ! /opera/ i . test ( navigator . userAgent )) { var IEBinaryToArray_ByteStr_Script = "<!-- IEBinaryToArray_ByteStr -->\r\n" + "<script type='text/vbscript'>\r\n" + "Function IEBinaryToArray_ByteStr(Binary)\r\n" + " IEBinaryToArray_ByteStr = CStr(Binary)\r\n" + "End Function\r\n" + "Function IEBinaryToArray_ByteStr_Last(Binary)\r\n" + " Dim lastIndex\r\n" + " lastIndex = LenB(Binary)\r\n" + " if lastIndex mod 2 Then\r\n" + " IEBinaryToArray_ByteStr_Last = Chr( AscB( MidB( Binary, lastIndex, 1 ) ) )\r\n" + " Else\r\n&q

Tool Qualys Cenzic 1.ClickJacking : iframe csrf.  response add X-Frame-Options header for each JSP , html, and filter. 2.DoS attack (denial of service) : set http request timeout. Tomcat update to version 6.0.39(6.X). 3.Cookie HttpOnly :  cookie and Tomcat jsessionid cookie     4. crossdomain.xml : flash cross domain setting.  ref: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options   Configuring Apache To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration: Header always append X-Frame-Options SAMEORIGIN Configuring nginx To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration: add_header X-Frame-Options SAMEORIGIN ; Configuring IIS To configure IIS to send the X-Frame-Options header, add this your site's Web.config file: <system.webServer> ... < httpProtocol > < customHeaders > < ad

Ref: http://javascript.info/tutorial/cross-window-messaging-with-postmessage#example Cross-window messaging API is supported by all modern browsers including IE8. It allows windows/frames from multiple domains to communicate with each other. To send a message to another window referenced by win , the postMessage method is used. Syntax is postMessage(data, targetDomain) , where: data The message. Accordin to the specification, it could be any object. But as of now, only strings are supported in major browsers. targetDomain Limit receiving iframe by given domain. Can contain ‘*’ which doesn’t put any restrictions. Usually, the domain of iframe is known, so it is recommended to pass it as the targetDomain argument for better security. Example Let’s see how it works from the sending side. 01 < iframe src = "http://a.JavaScript.info/files/tutorial/window/receive.html" id = "iframe" style = "height:60px" ></ iframe > 02