W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: Redirects and HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 26 Sep 2014 14:11:35 +0200
Message-ID: <CADnb78h-4LmHYrPMJJXpj4g_HWAEg8YMvsGapuWHaeKSUmW8MA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Sep 26, 2014 at 1:55 PM, Mike West <mkwst@google.com> wrote:
> What's the attack you're considering?

E.g. if you know about an image on a domain you could check with

<img src=http://target.example/ onload=visited() onerror=notvisited()>

due to client-side HSTS rewriting and the recommend setup of port 80
redirecting to 443.


-- 
https://annevankesteren.nl/
Received on Friday, 26 September 2014 12:12:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC