[whatwg] "first script" and impersonating other pages - pushState(url)
Mike Wilson
mikewse at hotmail.com
Thu Sep 3 15:47:20 PDT 2009
Ian Hickson wrote:
>
> On Thu, 3 Sep 2009, Mike Wilson wrote:
> >
> > - calling pushState(..., "/pages/section1/thing2") when
> > first script's basedir=/pages/section1 will be ok
> >
> > - calling pushState(..., "/pages/section2/thing2") when
> > first script's basedir=/pages/section1 will not be
> > allowed (and throw).
> >
> > Is any of these wrong?
>
> The path part of the URL is ignored when deciding whether or
> not to allow the call.
Rereading the spec again I see that. Sorry, my bad :-S
I see now that the first script's url is only used to keep
pushState on the same origin, while I was expecting it to
keep pushState urls on the same "sub branch" path.
But doesn't this open up a fairly bad security exploit?
Let's say that I have rights to post to a blog on:
www.corporatesite.com/fan/blog
Assuming I can get some JavaScript inside one of my blog
posts, I can then pretend I am redirecting the user to:
www.corporatesite.com/topclientsonly/login
while I am really impersonating that page through pushState
and harvesting their passwords.
The result is that the address bar URL can't be trusted, as
any page on the site can impersonate any other without
consent from that page or part of the site?
Best regards
Mike
More information about the whatwg
mailing list