- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 10 Jan 2008 01:26:56 +0000 (UTC)
On Wed, 9 Jan 2008, Adam Barth wrote: > > Consider the following example page: > > /foo/bar.html: > > <html> > <head> > <script src="lib.js"></script> > </head> > </html> > > Suppose the attacker directs the user to > http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to > the target's IP address, 171.64.78.10. The target serves the above > HTML, which runs in the origin (http, www.attacker.com, 80, > 171.64.78.10) and causes the user agent to request > http://www.attacker.com/foo/lib.js. Now, the attacker rebinds > www.attacker.com to point to the attacker's IP address and serves > malicious JavaScript. At this point, the attacker is running malicious > JavaScript in the origin that includes the target's IP address and can > proceed with the attack. As I understand it, that kind of attack would be mitigated by the browser not doing a DNS query for the second one -- it's the reason browsers tend to have built-in DNS caches (with TTLs in the order of a minute). The idea with origins containing IP addresses is to avoid attacks like where a page on attacker.com does a window.open() to another page on attacker.com where the second page is served from the victim IP, and scripts in the first page then do cross-window manipulation. However, I agree that it doesn't really help that much. It's just one more possible way to slow people down. I'm not sure we'll do it. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 January 2008 17:26:56 UTC