- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Fri, 20 Aug 2010 18:59:09 -0700
- To: public-webapps <public-webapps@w3.org>
Hi The CORS specification in its current form seems to be very concerned about increasing attack surface of benign servers (the preflight request etc. concern). Seeing [1] I am concerned about the other case - benign clients and malicious cross origin servers. for the tl;dr crowd - my (possibly wrong) summary of the attack facebook.com loads content using the stuff after a '#' in a URL, thus facebook.com/#profile.php loads content from facebook.com/profile.php using XHR. a URL like facebook.com/#evil.com/evil.php , with evil.com configured to "AccessControlAllowOrigin *" could result in HTML injection. It seems that over here facebook is a benign server that some time in the past assumed that XHR can only be same origin, and with the introduction of cross origin XHR is suddenly vulnerable to XSS. In general, a client needs to 'add' stuff to its js to be safe after the introduction of XHR. This isn't ideal. Regards devdatta [1] http://m-austin.com/blog/?p=19
Received on Saturday, 21 August 2010 02:00:03 UTC