On Mon, May 19, 2008 at 11:54 PM, Mike Shaver <[EMAIL PROTECTED]> wrote: > On Sun, May 18, 2008 at 10:50 AM, Steven Mascaro <[EMAIL PROTECTED]> wrote: >> For example, suppose that it were possible to retrieve the text of any >> <script src="..."></script> element using '.textContent' from >> javascript, regardless of origin. You'll agree that this is >> unthinkable today. But I assume you'll also agree that there is no >> security problem in doing this if no cookies (or other private data) >> are sent in the initial request to retrieve the script page? > > I wouldn't make that assumption, and I doubt that Brendan would agree. > > http://publicsite.com/lolhax.html containing <script > src="http://intranet/internallyPublicResource?format=json";></script>, > for example.
Point taken. I remember worrying about this with the intranet I manage, so I made every (generated) page require authentication. But granted, not everyone will do this. Still, there are some arguments against this (and for urging intranet developers to use authentication): 1) Sensitive JS functions and variables are still exposed in the same way 2) Various privileged actions can still be performed, such as accessing or posting to URLs that trigger internal actions 3) "Fishing" style attacks have very low returns because internal URLs are difficult to guess. They will be easy to guess for either major intranet packages or major organisations, but those *must* use authentication anyway (see 1 & 2) 4) The vast bulk of JSON data delivered this way will be customised to the user, and hence involve cookies (yes, I am myopic, aren't I? :) ). Anything not customised to the user is unlikely to contain sensitive data (because it will be available to anyone with access to the intranet --- from managers to work experience kids). Granted, there will be developers who think 'programming code' means 'invisible', but those developers will either be bitten by much harder problems soon enough, or won't encounter any problems at all because their code is not used by enough people Again, though, I feel that this is an example of 'private data' abuse by a 3rd party (where the private data here are credentials). I get panicky every time I do something as simple as *linking* to a public website from an intranet page (and hence use anonymous redirects). I would much prefer if it were not possible to mix data from two different networks (in this case, internet/intranet) without being completely explicit, but I understand that would require some major changes. _______________________________________________ Es4-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es4-discuss
