[whatwg] "first script" and impersonating other pages - pushState(url)
justin.lebar at gmail.com
Thu Sep 3 15:58:07 PDT 2009
Mike Wilson wrote:
> The result is that the address bar URL can't be trusted, as
> any page on the site can impersonate any other without
> consent from that page or part of the site?
Someone will correct me if I'm wrong, but I think this is already
pretty much the case with today's same-origin policy, albeit with a
bit more work. My understanding is that if A and B have the same
origin, they can do whatever they want to each others' documents,
including modifying content. So if you can control script at
http://google.com/~mwilson , and a user has both your site and
http://google.com/securesite , then your malicious page can do
whatever it wants to the secure page.
on your origin.
More information about the whatwg