[whatwg] Limitations of IP addresses into the origin tuple

Ian Hickson ian at hixie.ch
Wed Jan 9 17:26:56 PST 2008


On Wed, 9 Jan 2008, Adam Barth wrote:
>
> Consider the following example page:
> 
> /foo/bar.html:
> 
> <html>
> <head>
> <script src="lib.js"></script>
> </head>
> </html>
> 
> Suppose the attacker directs the user to 
> http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to 
> the target's IP address, 171.64.78.10.  The target serves the above 
> HTML, which runs in the origin (http, www.attacker.com, 80, 
> 171.64.78.10) and causes the user agent to request 
> http://www.attacker.com/foo/lib.js.  Now, the attacker rebinds 
> www.attacker.com to point to the attacker's IP address and serves 
> malicious JavaScript.  At this point, the attacker is running malicious 
> JavaScript in the origin that includes the target's IP address and can 
> proceed with the attack.

As I understand it, that kind of attack would be mitigated by the browser 
not doing a DNS query for the second one -- it's the reason browsers tend 
to have built-in DNS caches (with TTLs in the order of a minute).

The idea with origins containing IP addresses is to avoid attacks like 
where a page on attacker.com does a window.open() to another page on 
attacker.com where the second page is served from the victim IP, and 
scripts in the first page then do cross-window manipulation.

However, I agree that it doesn't really help that much. It's just one more 
possible way to slow people down. I'm not sure we'll do it.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list