- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 07 Apr 2009 01:47:02 +0200
- To: "Tyler Close" <tyler.close@gmail.com>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: public-webapps@w3.org
On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.close@gmail.com> wrote: > I don't have any numbers, but I believe using a plaintext password in > the request body or URL is a fairly common design in web applications. > I certainly see it in a lot of protocol documentation. Before CORS, > there was no threat of this password being sent to the wrong site, > since the client code could only message with the one site. Now the > attacker can instruct the browser to message with additional sites. That's wrong actually. There are plenty of ways to send messages cross-origin nowadays: * <img src> * <iframe src> * <object data> * <embed src> * <form action> * <script src> * 'background-image' * 'cursor' * 'list-style-image' * ... (All can be instantiated from script, in case that was not clear.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 6 April 2009 23:47:53 UTC