[whatwg] "first script" and impersonating other pages - pushState(url)

Mike Wilson wrote:
> The result is that the address bar URL can't be trusted, as
> any page on the site can impersonate any other without
> consent from that page or part of the site?

Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work.  My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content.  So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.

That's why it's important that you trust all the javascript which runs
on your origin.


Received on Thursday, 3 September 2009 15:58:07 UTC