- From: Justin Lebar <justin.lebar@gmail.com>
- Date: Thu, 3 Sep 2009 15:58:07 -0700
Mike Wilson wrote: > The result is that the address bar URL can't be trusted, as > any page on the site can impersonate any other without > consent from that page or part of the site? Someone will correct me if I'm wrong, but I think this is already pretty much the case with today's same-origin policy, albeit with a bit more work. My understanding is that if A and B have the same origin, they can do whatever they want to each others' documents, including modifying content. So if you can control script at http://google.com/~mwilson , and a user has both your site and http://google.com/securesite , then your malicious page can do whatever it wants to the secure page. That's why it's important that you trust all the javascript which runs on your origin. -Justin
Received on Thursday, 3 September 2009 15:58:07 UTC