Re: [cors] security issue with XMLHttpRequest API compatibility

On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.close@gmail.com>  
wrote:
> I don't have any numbers, but I believe using a plaintext password in
> the request body or URL is a fairly common design in web applications.
> I certainly see it in a lot of protocol documentation. Before CORS,
> there was no threat of this password being sent to the wrong site,
> since the client code could only message with the one site. Now the
> attacker can instruct the browser to message with additional sites.

That's wrong actually. There are plenty of ways to send messages  
cross-origin nowadays:

  * <img src>
  * <iframe src>
  * <object data>
  * <embed src>
  * <form action>
  * <script src>
  * 'background-image'
  * 'cursor'
  * 'list-style-image'
  * ...

(All can be instantiated from script, in case that was not clear.)


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Monday, 6 April 2009 23:47:53 UTC