[whatwg] "first script" and impersonating other pages - pushState(url)

Mike Wilson mikewse at hotmail.com
Fri Sep 4 02:00:24 PDT 2009

Justin Lebar wrote:
> Mike Wilson wrote:
> > The result is that the address bar URL can't be trusted, as
> > any page on the site can impersonate any other without
> > consent from that page or part of the site?
> Someone will correct me if I'm wrong, but I think this is already
> pretty much the case with today's same-origin policy, albeit with a
> bit more work.  My understanding is that if A and B have the same
> origin, they can do whatever they want to each others' documents,
> including modifying content.  So if you can control script at
> http://google.com/~mwilson , and a user has both your site and
> http://google.com/securesite , then your malicious page can do
> whatever it wants to the secure page.
> That's why it's important that you trust all the javascript which runs
> on your origin.

Ian Hickson wrote:
> The Web has a same-origin security model. If you're sharing 
> one origin between two untrusted authors, you've already lost.
> For example, today you could already do what you describe -- just use 
> window.open() to open the topclientsonly/login page, and then inject 
> script to grab the password.

Yes of course, should have thought about that :-P. As
you say, it is trivial to add a frame that displays 
the victim page and then patch it to my needs.
Well, if there will ever be a path-based security
mechanism (as suggested in my other thread) I guess 
it could apply to pushState as well.


More information about the whatwg mailing list