[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

On Mon, 29 Sep 2008 13:41:59 +0200, Michal Zalewski <lcamtuf at dione.cc>  
wrote:
> Note that the current implementation proposals for "Origin" headers  
> (which I believe are limited to non-GET, non-HEAD requests) would not  
> prevent this attack, nor some other potential attack vectors; they would  
> probably need to be modified to include "Origin" header on SRC= GET  
> requests on IFRAME / EMBED / OBJECT / APPLET.

A cross-site XMLHttpRequest request would always include Origin. I haven't  
really seen other specifications start using it yet, but I believe there  
are some experimental implementations for including it in cross-site  
<form> POST requests.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Sunday, 28 September 2008 22:58:17 UTC