[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Tue Sep 30 10:25:11 PDT 2008


On Tue, 30 Sep 2008, Adam Barth wrote:

>> This could be addressed by sending a cryptographic hash of the origin (using
>> an algorithm that is commonly available in libraries used by server-side
>> programmers).
>
> Interesting idea.  So you're suggesting something like:
> Origin-SHA1: 4e13de73de2d1a1c350eb4ae429bb7b009a21a84
>
> This sounds like it would work well if the site owner knew exactly all
> the origins he was expecting, but it makes it difficult to enforce a
> policy like "process this request if it came from a subdomain of
> example.com."

More importantly, since the dictionary of possible inputs is rather 
limited, it would be pretty trivial to build a dictionary of site <-> hash 
pairs and crack the values. May protect xyzzy2984.eur.int.example.com, but 
would still reveal to me you are coming from playboy.com.

/mz



More information about the whatwg mailing list