- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 17 Jul 2011 13:50:23 -0700
On Sun, Jul 17, 2011 at 12:41 PM, Bjartur Thorlacius <svartman95 at gmail.com> wrote: > ?ann f?s 15.j?l 2011 18:39, skrifa?i Jonas Sicking: >> >> 2011/7/14 Ian Fette (????????)<ifette at google.com>: >> One concern which was brought up was the ability to cause the user to >> download a file from a third party site. I.e. this would allow >> evil.com to trick the user into downloading an email from the users >> webmail, or download a page from their bank which contains all their >> banking information. It might be easier to then trick the user into >> re-uploading the saved file to evil.com since from a user's >> perspective, it looked like the file came from evil.com >> > Would it not be possible to send an unauthenticated request for the > file, if it's of different origin? That only solves part of the problem since if the file is located on a private intranet behind a firewall, even unauthenticated requests can return sensitive data. Additionally, I strongly suspect people will want to be able to download authenticated data cross site. / Jonas
Received on Sunday, 17 July 2011 13:50:23 UTC