W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] "first script" and impersonating other pages - pushState(url)

From: Justin Lebar <justin.lebar@gmail.com>
Date: Thu, 3 Sep 2009 15:58:07 -0700
Message-ID: <c84706c70909031558s5a10a8a9k3233fb865ddb7e8e@mail.gmail.com>
Mike Wilson wrote:
> The result is that the address bar URL can't be trusted, as
> any page on the site can impersonate any other without
> consent from that page or part of the site?

Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work.  My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content.  So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.

That's why it's important that you trust all the javascript which runs
on your origin.

-Justin
Received on Thursday, 3 September 2009 15:58:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC