- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 6 Apr 2009 16:49:13 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, public-webapps@w3.org
Well, Anne, as I said in the previous paragraph, the one you deleted, I'm considering an application that does its messaging via XMLHttpRequest. Sheesh. --Tyler On Mon, Apr 6, 2009 at 4:47 PM, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.close@gmail.com> > wrote: >> >> I don't have any numbers, but I believe using a plaintext password in >> the request body or URL is a fairly common design in web applications. >> I certainly see it in a lot of protocol documentation. Before CORS, >> there was no threat of this password being sent to the wrong site, >> since the client code could only message with the one site. Now the >> attacker can instruct the browser to message with additional sites. > > That's wrong actually. There are plenty of ways to send messages > cross-origin nowadays: > > * <img src> > * <iframe src> > * <object data> > * <embed src> > * <form action> > * <script src> > * 'background-image' > * 'cursor' > * 'list-style-image' > * ... > > (All can be instantiated from script, in case that was not clear.) > > > -- > Anne van Kesteren > http://annevankesteren.nl/ >
Received on Monday, 6 April 2009 23:49:53 UTC