[whatwg] element "img" with HTTP POST method
Tab Atkins Jr.
jackalmage at gmail.com
Thu Dec 9 20:35:13 PST 2010
On Thu, Dec 9, 2010 at 7:15 PM, Adam Barth <w3c at adambarth.com> wrote:
>>>> On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <phil127 at gmail.com> wrote:
>>>>> There are quite a number of older web forums that sanitize their HTML using black lists and would not strip new attributes like "post-data". For malicious users, it would be very easy to include e.g. <img src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some spam URL)"> in their signature and have users doing involuntary posts by simply viewing a thread.
>>>>
>>>> Indeed. You shouldn't be able to trigger POSTs from involuntary
>>>> actions. They should always require some sort of user input, because
>>>> there is simply *far* too much naive code out there that is vulnerable
>>>> to CSRF.
>>>
>>> Unfortunately, the attacker can already trigger POSTs with involuntary
>>> actions. That code is already vulnerable attack, sadly.
>>
>> Via scripting, yes, which is usually stripped out by sanitizers (or
>> just plain doesn't work, like javascript urls in images). I don't
>> believe there are any declarative ways to trigger involuntary POSTs,
>> are there?
>
> The attacker can always make a giant invisible button that covers the
> whole page that submits a form. Web sites can generate POST requests
> without user intervention. Anyone who's using POST as a security
> feature as far bigger troubles than this attribute.
Heh, agreed about that.
But still, none of those are new POST-ing abilities that can be
utilized by J. Random User on a message board with half-decent
security.
~TJ
More information about the whatwg
mailing list