[whatwg] "first script" and impersonating other pages - pushState(url)

Mike Wilson wrote:
> The result is that the address bar URL can't be trusted, as
> any page on the site can impersonate any other without
> consent from that page or part of the site?

Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work.  My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content.  So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.

That's why it's important that you trust all the javascript which runs
on your origin.

-Justin

Received on Thursday, 3 September 2009 15:58:07 UTC