[whatwg] "first script" and impersonating other pages - pushState(url)

Ian Hickson wrote:
> 
> On Thu, 3 Sep 2009, Mike Wilson wrote:
> >
> > - calling pushState(..., "/pages/section1/thing2") when
> >   first script's basedir=/pages/section1 will be ok
> >
> > - calling pushState(..., "/pages/section2/thing2") when
> >   first script's basedir=/pages/section1 will not be 
> >   allowed (and throw).
> > 
> > Is any of these wrong?
> 
> The path part of the URL is ignored when deciding whether or 
> not to allow the call.

Rereading the spec again I see that. Sorry, my bad :-S
I see now that the first script's url is only used to keep 
pushState on the same origin, while I was expecting it to
keep pushState urls on the same "sub branch" path.

But doesn't this open up a fairly bad security exploit?

Let's say that I have rights to post to a blog on:
  www.corporatesite.com/fan/blog
Assuming I can get some JavaScript inside one of my blog
posts, I can then pretend I am redirecting the user to:
  www.corporatesite.com/topclientsonly/login
while I am really impersonating that page through pushState
and harvesting their passwords.

The result is that the address bar URL can't be trusted, as
any page on the site can impersonate any other without 
consent from that page or part of the site?

Best regards
Mike

Received on Thursday, 3 September 2009 15:47:20 UTC