W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2008

[whatwg] Limitations of IP addresses into the origin tuple

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Jan 2008 01:26:56 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0801100106040.13181@hixie.dreamhostps.com>
On Wed, 9 Jan 2008, Adam Barth wrote:
> Consider the following example page:
> /foo/bar.html:
> <html>
> <head>
> <script src="lib.js"></script>
> </head>
> </html>
> Suppose the attacker directs the user to 
> http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to 
> the target's IP address,  The target serves the above 
> HTML, which runs in the origin (http, www.attacker.com, 80, 
> and causes the user agent to request 
> http://www.attacker.com/foo/lib.js.  Now, the attacker rebinds 
> www.attacker.com to point to the attacker's IP address and serves 
> malicious JavaScript.  At this point, the attacker is running malicious 
> JavaScript in the origin that includes the target's IP address and can 
> proceed with the attack.

As I understand it, that kind of attack would be mitigated by the browser 
not doing a DNS query for the second one -- it's the reason browsers tend 
to have built-in DNS caches (with TTLs in the order of a minute).

The idea with origins containing IP addresses is to avoid attacks like 
where a page on attacker.com does a window.open() to another page on 
attacker.com where the second page is served from the victim IP, and 
scripts in the first page then do cross-window manipulation.

However, I agree that it doesn't really help that much. It's just one more 
possible way to slow people down. I'm not sure we'll do it.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 9 January 2008 17:26:56 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:00 UTC