[whatwg] "first script" and impersonating other pages - pushState(url)

Ian Hickson ian at hixie.ch
Thu Sep 3 16:01:17 PDT 2009


On Fri, 4 Sep 2009, Mike Wilson wrote:
> 
> Let's say that I have rights to post to a blog on:
>   www.corporatesite.com/fan/blog
> Assuming I can get some JavaScript inside one of my blog
> posts, I can then pretend I am redirecting the user to:
>   www.corporatesite.com/topclientsonly/login
> while I am really impersonating that page through pushState
> and harvesting their passwords.

The Web has a same-origin security model. If you're sharing one origin 
between two untrusted authors, you've already lost.

For example, today you could already do what you describe -- just use 
window.open() to open the topclientsonly/login page, and then inject 
script to grab the password.


> The result is that the address bar URL can't be trusted, as any page on 
> the site can impersonate any other without consent from that page or 
> part of the site?

That's already the case.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list