[whatwg] Limitations of IP addresses into the origin tuple
ian at hixie.ch
Wed Jan 9 17:26:56 PST 2008
On Wed, 9 Jan 2008, Adam Barth wrote:
> Consider the following example page:
> <script src="lib.js"></script>
> Suppose the attacker directs the user to
> http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to
> the target's IP address, 184.108.40.206. The target serves the above
> HTML, which runs in the origin (http, www.attacker.com, 80,
> 220.127.116.11) and causes the user agent to request
> http://www.attacker.com/foo/lib.js. Now, the attacker rebinds
> www.attacker.com to point to the attacker's IP address and serves
> proceed with the attack.
As I understand it, that kind of attack would be mitigated by the browser
not doing a DNS query for the second one -- it's the reason browsers tend
to have built-in DNS caches (with TTLs in the order of a minute).
The idea with origins containing IP addresses is to avoid attacks like
where a page on attacker.com does a window.open() to another page on
attacker.com where the second page is served from the victim IP, and
scripts in the first page then do cross-window manipulation.
However, I agree that it doesn't really help that much. It's just one more
possible way to slow people down. I'm not sure we'll do it.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg