W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Scott Shattuck <idearat@mindspring.com>
Date: Mon, 6 Apr 2009 16:21:43 -0600
Message-Id: <4A06044C-EA4E-42D4-A368-3CC9BFE822F8@mindspring.com>
To: Webapps WG <public-webapps@w3.org>
> Using a variation on the example in the spec...
>
> var password = ...   // global variable holds user's password
>
> function deleteItem(itemURL, updateUI) {
>  var client = new XMLHttpRequest()
>  client.open("DELETE", itemURL)
>  client.onload = updateUI
>  client.onerror = updateUI
>  client.onabort = updateUI
>  client.send("password=" + password)
> }

Well, if a script can rely on someone being as foolish as to store  
their username and password as globals then why bother working that  
hard...just ping a url with them. I can't see how this is relevant to  
the spec in terms of a specific vulnerability.


ss
Received on Monday, 6 April 2009 22:22:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT