- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 3 Sep 2009 23:01:17 +0000 (UTC)
On Fri, 4 Sep 2009, Mike Wilson wrote: > > Let's say that I have rights to post to a blog on: > www.corporatesite.com/fan/blog > Assuming I can get some JavaScript inside one of my blog > posts, I can then pretend I am redirecting the user to: > www.corporatesite.com/topclientsonly/login > while I am really impersonating that page through pushState > and harvesting their passwords. The Web has a same-origin security model. If you're sharing one origin between two untrusted authors, you've already lost. For example, today you could already do what you describe -- just use window.open() to open the topclientsonly/login page, and then inject script to grab the password. > The result is that the address bar URL can't be trusted, as any page on > the site can impersonate any other without consent from that page or > part of the site? That's already the case. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 September 2009 16:01:17 UTC