W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: Abusing HTTP status codes to deanonymize web users

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 8 May 2015 07:13:35 +0200
Message-ID: <CADnb78jh=FWaZhFy3UdVqH3yAn43O=S4CZjrUO7RaQwGCKZ3vg@mail.gmail.com>
To: Ahmed Elsobky <mreagle0x@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, May 7, 2015 at 10:50 PM, Ahmed Elsobky <mreagle0x@gmail.com> wrote:
> <script src=http://example.com/user/1001/settings onerror="javascript:x=1">

Do you have a test case showing that <script> fires an error event
consistently for 4xx or 5xx status codes? I thought it would always
try to parse the result as a script and execute it.

> ..Any thoughts?

I proposed http://www.w3.org/TR/2012/NOTE-from-origin-20120529/ at
some point to mitigate this. There wasn't much interest.

Received on Friday, 8 May 2015 05:13:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:49 UTC