[whatwg] "first script" and impersonating other pages - pushState(url)
Ian Hickson
ian at hixie.ch
Thu Sep 3 16:01:17 PDT 2009
On Fri, 4 Sep 2009, Mike Wilson wrote:
>
> Let's say that I have rights to post to a blog on:
> www.corporatesite.com/fan/blog
> Assuming I can get some JavaScript inside one of my blog
> posts, I can then pretend I am redirecting the user to:
> www.corporatesite.com/topclientsonly/login
> while I am really impersonating that page through pushState
> and harvesting their passwords.
The Web has a same-origin security model. If you're sharing one origin
between two untrusted authors, you've already lost.
For example, today you could already do what you describe -- just use
window.open() to open the topclientsonly/login page, and then inject
script to grab the password.
> The result is that the address bar URL can't be trusted, as any page on
> the site can impersonate any other without consent from that page or
> part of the site?
That's already the case.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list