[whatwg] "first script" and impersonating other pages - pushState(url)
Justin Lebar
justin.lebar at gmail.com
Thu Sep 3 15:58:07 PDT 2009
Mike Wilson wrote:
> The result is that the address bar URL can't be trusted, as
> any page on the site can impersonate any other without
> consent from that page or part of the site?
Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work. My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content. So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.
That's why it's important that you trust all the javascript which runs
on your origin.
-Justin
More information about the whatwg
mailing list