RE: XDomainRequest Integration with AC

On Fri, 18 Jul 2008, Eric Lawrence wrote:
>
> In the scenario you described, the threat was that there would be 
> information disclosure against an unsuspecting redirector in the middle 
> of a redirection chain.
> 
> It's not clear to me how providing read-access to the final destination 
> (which must opt-in to such access using an Access-Control response 
> header) would somehow disclose any information about the intermediary 
> redirector?
> 
> Could you describe a simple step-by-step attack scenario?

Let's say that there is a network of sites A, B, and C that all provide 
the same feature that is Access-Control-enabled. These features are 
distinguishable (i.e. you can tell which site it is from looking at the 
content of the Access-Control-enabled page).

Now suppose company X every week picks one of A, B, and C, and that 
knowing the pick ahead of time, if you're not an employee of company X or 
sites A, B, or C can lead to some financial gain.

Now in company X's intranet, there is a server that redirects to the 
Access-Control-enabled feature of the site tha will be picked in the 
coming week.

A hostile user could send an e-mail or IM to an employee of company X 
getting them to visit a page under the hostile user's control. That page 
now just has to do a cross-domain request to the intranet page to figure 
out which site will be picked in the coming week.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 19 July 2008 01:30:46 UTC