- From: Mike Wilson <mikewse@hotmail.com>
- Date: Fri, 4 Sep 2009 11:00:24 +0200
Justin Lebar wrote: > Mike Wilson wrote: > > The result is that the address bar URL can't be trusted, as > > any page on the site can impersonate any other without > > consent from that page or part of the site? > > Someone will correct me if I'm wrong, but I think this is already > pretty much the case with today's same-origin policy, albeit with a > bit more work. My understanding is that if A and B have the same > origin, they can do whatever they want to each others' documents, > including modifying content. So if you can control script at > http://google.com/~mwilson , and a user has both your site and > http://google.com/securesite , then your malicious page can do > whatever it wants to the secure page. > > That's why it's important that you trust all the javascript which runs > on your origin. Ian Hickson wrote: > The Web has a same-origin security model. If you're sharing > one origin between two untrusted authors, you've already lost. > > For example, today you could already do what you describe -- just use > window.open() to open the topclientsonly/login page, and then inject > script to grab the password. Yes of course, should have thought about that :-P. As you say, it is trivial to add a frame that displays the victim page and then patch it to my needs. Well, if there will ever be a path-based security mechanism (as suggested in my other thread) I guess it could apply to pushState as well. Thanks Mike
Received on Friday, 4 September 2009 02:00:24 UTC