Question regarding XDR and https from Hallvord R. M. Steen on 2008-03-27 (public-webapi@w3.org from March 2008)

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Thu, 27 Mar 2008 10:08:25 +0900
To: public-webapi@w3.org
Message-ID: <op.t8nhgb1ha3v5gv@hr-opera.oslo.opera.com>

Hi,
I understand that XDomainRequests will omit sending any cookies and  
HTTP-Auth to a 3rd party site. However, what happens if the 3rd party site  
uses SSL-based authentication instead? For example, my bank uses an SSL  
certificate saved in my browser. Can https://attacker.example.com now use  
XDR to send POST requests to my bank with my SSL credentials?

If this is the case, I think XDR does increase attack surface compared to  
HTML form posts, because many browsers are configured to warn or inform  
the users when entering or leaving HTTPS sites. (Most likely everybody on  
this list has disabled the warning/information message years ago, but many  
average users will still have it enabled.)

-- 
Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience

Received on Thursday, 27 March 2008 01:07:48 UTC