W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] "first script" and impersonating other pages - pushState(url)

From: Mike Wilson <mikewse@hotmail.com>
Date: Fri, 4 Sep 2009 11:00:24 +0200
Message-ID: <014701ca2d3e$24a0a310$0a01a8c0@mikedeskxp>
Justin Lebar wrote:
> Mike Wilson wrote:
> > The result is that the address bar URL can't be trusted, as
> > any page on the site can impersonate any other without
> > consent from that page or part of the site?
> 
> Someone will correct me if I'm wrong, but I think this is already
> pretty much the case with today's same-origin policy, albeit with a
> bit more work.  My understanding is that if A and B have the same
> origin, they can do whatever they want to each others' documents,
> including modifying content.  So if you can control script at
> http://google.com/~mwilson , and a user has both your site and
> http://google.com/securesite , then your malicious page can do
> whatever it wants to the secure page.
> 
> That's why it's important that you trust all the javascript which runs
> on your origin.

Ian Hickson wrote:
> The Web has a same-origin security model. If you're sharing 
> one origin between two untrusted authors, you've already lost.
> 
> For example, today you could already do what you describe -- just use 
> window.open() to open the topclientsonly/login page, and then inject 
> script to grab the password.

Yes of course, should have thought about that :-P. As
you say, it is trivial to add a frame that displays 
the victim page and then patch it to my needs.
Well, if there will ever be a path-based security
mechanism (as suggested in my other thread) I guess 
it could apply to pushState as well.

Thanks
Mike
Received on Friday, 4 September 2009 02:00:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC