- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 14 Apr 2006 20:29:07 +0000 (UTC)
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: public-webapi@w3.org
On Fri, 14 Apr 2006, Julian Reschke wrote: > > Summary (from [2]): > > > The XmlHttpRequest object (implemented now in all current browsers) > > allows issueing arbitrary HTTP (and WebDAV) requests under the > > credentials of the authenticated user, in particular the DELETE > > method. > > > > If user A prepares an HTML page containing code that will issue a > > DELETE request against one of user B's resources, and tricks him/her > > into navigating to that page, the browser will issue the DELETE > > request with B's credentials (no confirmation required). This is just your typical XSS attack. http://en.wikipedia.org/wiki/Cross_Site_Scripting The solution is to not allow scripts uploaded by one user to be displayed to another user, or to only allow them to be displayed on a site that is unrelated to where you are doing your authenticated edits. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 14 April 2006 20:29:18 UTC