W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 07 Apr 2009 01:47:02 +0200
To: "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>
Cc: public-webapps@w3.org
Message-ID: <op.urzococc64w2qv@annevk-t60.oslo.opera.com>
On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.close@gmail.com>  
wrote:
> I don't have any numbers, but I believe using a plaintext password in
> the request body or URL is a fairly common design in web applications.
> I certainly see it in a lot of protocol documentation. Before CORS,
> there was no threat of this password being sent to the wrong site,
> since the client code could only message with the one site. Now the
> attacker can instruct the browser to message with additional sites.

That's wrong actually. There are plenty of ways to send messages  
cross-origin nowadays:

  * <img src>
  * <iframe src>
  * <object data>
  * <embed src>
  * <form action>
  * <script src>
  * 'background-image'
  * 'cursor'
  * 'list-style-image'
  * ...

(All can be instantiated from script, in case that was not clear.)


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 6 April 2009 23:47:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT