- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Thu, 27 Mar 2008 10:08:25 +0900
- To: public-webapi@w3.org
Hi, I understand that XDomainRequests will omit sending any cookies and HTTP-Auth to a 3rd party site. However, what happens if the 3rd party site uses SSL-based authentication instead? For example, my bank uses an SSL certificate saved in my browser. Can https://attacker.example.com now use XDR to send POST requests to my bank with my SSL credentials? If this is the case, I think XDR does increase attack surface compared to HTML form posts, because many browsers are configured to warn or inform the users when entering or leaving HTTPS sites. (Most likely everybody on this list has disabled the warning/information message years ago, but many average users will still have it enabled.) -- Hallvord R. M. Steen Core QA JavaScript tester, Opera Software http://www.opera.com/ Opera - simply the best Internet experience
Received on Thursday, 27 March 2008 01:07:48 UTC