- From: Mike Wilson <mikewse@hotmail.com>
- Date: Fri, 4 Sep 2009 00:47:20 +0200
Ian Hickson wrote: > > On Thu, 3 Sep 2009, Mike Wilson wrote: > > > > - calling pushState(..., "/pages/section1/thing2") when > > first script's basedir=/pages/section1 will be ok > > > > - calling pushState(..., "/pages/section2/thing2") when > > first script's basedir=/pages/section1 will not be > > allowed (and throw). > > > > Is any of these wrong? > > The path part of the URL is ignored when deciding whether or > not to allow the call. Rereading the spec again I see that. Sorry, my bad :-S I see now that the first script's url is only used to keep pushState on the same origin, while I was expecting it to keep pushState urls on the same "sub branch" path. But doesn't this open up a fairly bad security exploit? Let's say that I have rights to post to a blog on: www.corporatesite.com/fan/blog Assuming I can get some JavaScript inside one of my blog posts, I can then pretend I am redirecting the user to: www.corporatesite.com/topclientsonly/login while I am really impersonating that page through pushState and harvesting their passwords. The result is that the address bar URL can't be trusted, as any page on the site can impersonate any other without consent from that page or part of the site? Best regards Mike
Received on Thursday, 3 September 2009 15:47:20 UTC