Re: [cors] security issue with XMLHttpRequest API compatibility

> Using a variation on the example in the spec...
>
> var password = ...   // global variable holds user's password
>
> function deleteItem(itemURL, updateUI) {
>  var client = new XMLHttpRequest()
>  client.open("DELETE", itemURL)
>  client.onload = updateUI
>  client.onerror = updateUI
>  client.onabort = updateUI
>  client.send("password=" + password)
> }

Well, if a script can rely on someone being as foolish as to store  
their username and password as globals then why bother working that  
hard...just ping a url with them. I can't see how this is relevant to  
the spec in terms of a specific vulnerability.


ss

Received on Monday, 6 April 2009 22:22:26 UTC