[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Anne van Kesteren
annevk at opera.com
Sun Sep 28 22:58:17 PDT 2008
On Mon, 29 Sep 2008 13:41:59 +0200, Michal Zalewski <lcamtuf at dione.cc>
wrote:
> Note that the current implementation proposals for "Origin" headers
> (which I believe are limited to non-GET, non-HEAD requests) would not
> prevent this attack, nor some other potential attack vectors; they would
> probably need to be modified to include "Origin" header on SRC= GET
> requests on IFRAME / EMBED / OBJECT / APPLET.
A cross-site XMLHttpRequest request would always include Origin. I haven't
really seen other specifications start using it yet, but I believe there
are some experimental implementations for including it in cross-site
<form> POST requests.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
More information about the whatwg
mailing list