W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] security issue with XMLHttpRequest API compatibility

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 6 Apr 2009 16:49:13 -0700
Message-ID: <5691356f0904061649x5e4a9475y263b5da48203fbd9@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Jonas Sicking <jonas@sicking.cc>, public-webapps@w3.org
Well, Anne, as I said in the previous paragraph, the one you deleted,
I'm considering an application that does its messaging via
XMLHttpRequest.

Sheesh.

--Tyler

On Mon, Apr 6, 2009 at 4:47 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.close@gmail.com>
> wrote:
>>
>> I don't have any numbers, but I believe using a plaintext password in
>> the request body or URL is a fairly common design in web applications.
>> I certainly see it in a lot of protocol documentation. Before CORS,
>> there was no threat of this password being sent to the wrong site,
>> since the client code could only message with the one site. Now the
>> attacker can instruct the browser to message with additional sites.
>
> That's wrong actually. There are plenty of ways to send messages
> cross-origin nowadays:
>
>  * <img src>
>  * <iframe src>
>  * <object data>
>  * <embed src>
>  * <form action>
>  * <script src>
>  * 'background-image'
>  * 'cursor'
>  * 'list-style-image'
>  * ...
>
> (All can be instantiated from script, in case that was not clear.)
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
Received on Monday, 6 April 2009 23:49:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT