Or is it the old problem with domain wide cookies? I give a cookie for x.com on jake.x.com and you read my cookie on karl.x.com? You still can't ajax to jake.x.com.
It sounds like disinformation to me! On 4/2/07, Karl Rudd <[EMAIL PROTECTED]> wrote:
Bah, it's not a new vulnerability, it's always been there and always been known about. I call FUD on this. The following is an excerpt that is the keystone of the whole thing: "In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker." Firstly _don't visit suspect sites_. Secondly their "example attack" is flawed. As far as I'm aware JavaScript code on one page does not have access to the cookies of other webpages. If it does it's a security flaw in the browser, nothing a JavaScript library can do about it. Karl Rudd On 4/3/07, Kush Murod <[EMAIL PROTECTED]> wrote: > > Hi guys, > > Article below says all big JS Libraries are vulnerable including JQuery > I didn't quite understand the article, but was hoping for some feedback > on it > > http://www.cbronline.com/article_news.asp?guid=484BC88B-630F-4E74-94E9-8D89DD0E6606 > > > Cheers, > > -- > Kush Murod, Web applications developer > Sensory Networks > [E] [EMAIL PROTECTED] > [W] www.sensorynetworks.com > [T] +61 2 8302 2745 > [F] +61 2 9475 0316 > [A] Level 6, 140 William Street East Sydney 2011 > >
-- Ⓙⓐⓚⓔ - יעקב ʝǡǩȩ ᎫᎪᏦᎬ
