W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] "first script" and impersonating other pages - pushState(url)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 3 Sep 2009 23:01:17 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0909032256160.10423@hixie.dreamhostps.com>
On Fri, 4 Sep 2009, Mike Wilson wrote:
> Let's say that I have rights to post to a blog on:
>   www.corporatesite.com/fan/blog
> Assuming I can get some JavaScript inside one of my blog
> posts, I can then pretend I am redirecting the user to:
>   www.corporatesite.com/topclientsonly/login
> while I am really impersonating that page through pushState
> and harvesting their passwords.

The Web has a same-origin security model. If you're sharing one origin 
between two untrusted authors, you've already lost.

For example, today you could already do what you describe -- just use 
window.open() to open the topclientsonly/login page, and then inject 
script to grab the password.

> The result is that the address bar URL can't be trusted, as any page on 
> the site can impersonate any other without consent from that page or 
> part of the site?

That's already the case.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 September 2009 16:01:17 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:16 UTC