[whatwg] "first script" and impersonating other pages - pushState(url)

On Fri, 4 Sep 2009, Mike Wilson wrote:
> Let's say that I have rights to post to a blog on:
>   www.corporatesite.com/fan/blog
> Assuming I can get some JavaScript inside one of my blog
> posts, I can then pretend I am redirecting the user to:
>   www.corporatesite.com/topclientsonly/login
> while I am really impersonating that page through pushState
> and harvesting their passwords.

The Web has a same-origin security model. If you're sharing one origin 
between two untrusted authors, you've already lost.

For example, today you could already do what you describe -- just use 
window.open() to open the topclientsonly/login page, and then inject 
script to grab the password.

> The result is that the address bar URL can't be trusted, as any page on 
> the site can impersonate any other without consent from that page or 
> part of the site?

That's already the case.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 3 September 2009 16:01:17 UTC