Hacker News new | comments | show | ask | jobs | submit login

Not really, no. If all it takes to exploit the remote service is to make the request (i.e., you don't need to be able to read the response data to exploit it), you can easily force a request by means other than XHR; an image tag is probably the most straightforward.

Also, strictly speaking, this class of attack is Cross-Site Request Forgery (CSRF), not Cross-Site Scripting (XSS).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact