[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Tue Sep 30 10:25:11 PDT 2008
On Tue, 30 Sep 2008, Adam Barth wrote:
>> This could be addressed by sending a cryptographic hash of the origin (using
>> an algorithm that is commonly available in libraries used by server-side
>> programmers).
>
> Interesting idea. So you're suggesting something like:
> Origin-SHA1: 4e13de73de2d1a1c350eb4ae429bb7b009a21a84
>
> This sounds like it would work well if the site owner knew exactly all
> the origins he was expecting, but it makes it difficult to enforce a
> policy like "process this request if it came from a subdomain of
> example.com."
More importantly, since the dictionary of possible inputs is rather
limited, it would be pretty trivial to build a dictionary of site <-> hash
pairs and crack the values. May protect xyzzy2984.eur.int.example.com, but
would still reveal to me you are coming from playboy.com.
/mz
More information about the whatwg
mailing list