[whatwg] "first script" and impersonating other pages - pushState(url)
Mike Wilson
mikewse at hotmail.com
Fri Sep 4 02:00:24 PDT 2009
Justin Lebar wrote:
> Mike Wilson wrote:
> > The result is that the address bar URL can't be trusted, as
> > any page on the site can impersonate any other without
> > consent from that page or part of the site?
>
> Someone will correct me if I'm wrong, but I think this is already
> pretty much the case with today's same-origin policy, albeit with a
> bit more work. My understanding is that if A and B have the same
> origin, they can do whatever they want to each others' documents,
> including modifying content. So if you can control script at
> http://google.com/~mwilson , and a user has both your site and
> http://google.com/securesite , then your malicious page can do
> whatever it wants to the secure page.
>
> That's why it's important that you trust all the javascript which runs
> on your origin.
Ian Hickson wrote:
> The Web has a same-origin security model. If you're sharing
> one origin between two untrusted authors, you've already lost.
>
> For example, today you could already do what you describe -- just use
> window.open() to open the topclientsonly/login page, and then inject
> script to grab the password.
Yes of course, should have thought about that :-P. As
you say, it is trivial to add a frame that displays
the victim page and then patch it to my needs.
Well, if there will ever be a path-based security
mechanism (as suggested in my other thread) I guess
it could apply to pushState as well.
Thanks
Mike
More information about the whatwg
mailing list