[whatwg] Limitations of IP addresses into the origin tuple
Ian Hickson
ian at hixie.ch
Wed Jan 9 17:26:56 PST 2008
On Wed, 9 Jan 2008, Adam Barth wrote:
>
> Consider the following example page:
>
> /foo/bar.html:
>
> <html>
> <head>
> <script src="lib.js"></script>
> </head>
> </html>
>
> Suppose the attacker directs the user to
> http://www.attacker.com/foo/baz.html, with www.attacker.com pointed to
> the target's IP address, 171.64.78.10. The target serves the above
> HTML, which runs in the origin (http, www.attacker.com, 80,
> 171.64.78.10) and causes the user agent to request
> http://www.attacker.com/foo/lib.js. Now, the attacker rebinds
> www.attacker.com to point to the attacker's IP address and serves
> malicious JavaScript. At this point, the attacker is running malicious
> JavaScript in the origin that includes the target's IP address and can
> proceed with the attack.
As I understand it, that kind of attack would be mitigated by the browser
not doing a DNS query for the second one -- it's the reason browsers tend
to have built-in DNS caches (with TTLs in the order of a minute).
The idea with origins containing IP addresses is to avoid attacks like
where a page on attacker.com does a window.open() to another page on
attacker.com where the second page is served from the victim IP, and
scripts in the first page then do cross-window manipulation.
However, I agree that it doesn't really help that much. It's just one more
possible way to slow people down. I'm not sure we'll do it.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list