- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 6 Apr 2009 13:54:56 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
On Mon, Apr 6, 2009 at 11:29 AM, Tyler Close <tyler.close@gmail.com> wrote: > It looks like the client-side API for cross-origin messaging is the > same as the current XMLHttpRequest API. I think there's a security > issue with this decision. The current XMLHttpRequest implementation > drops any attempted cross-origin request. This implementation protects > a client-side application that inadvertently sends a request to an > unexpected target URL. Since the request is dropped by the browser > implementation, any client credentials (such as a password) in the > request body are not exposed to the wrong server. Since XMLHttpRequest > has, to date, provided this protection, client scripts have had no > real need to vet the URLs that they send messages to. Consequently, it > seems unlikely that these scripts do any vetting of their target URLs. > It may be possible for an attacker to cause a client script in another > domain to send a request to a target URL on the attacker's server. > Since the attacker controls his server, the resource can be marked as > accepting cross-domain requests. Since the client script wasn't > expecting such requests to succeed, it may include client credentials > in the sent request. How would the script include client credentials in the request? Can you show some an example of the type of script you are concerned about? / Jonas
Received on Monday, 6 April 2009 20:55:46 UTC