W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] "first script" and impersonating other pages - pushState(url)

From: Justin Lebar <justin.lebar@gmail.com>
Date: Thu, 3 Sep 2009 15:58:07 -0700
Message-ID: <c84706c70909031558s5a10a8a9k3233fb865ddb7e8e@mail.gmail.com>
Mike Wilson wrote:
> The result is that the address bar URL can't be trusted, as
> any page on the site can impersonate any other without
> consent from that page or part of the site?

Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work.  My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content.  So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.

That's why it's important that you trust all the javascript which runs
on your origin.

Received on Thursday, 3 September 2009 15:58:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC