On Fri, 14 Apr 2006, Julian Reschke wrote: > > Summary (from [2]): > > > The XmlHttpRequest object (implemented now in all current browsers) > > allows issueing arbitrary HTTP (and WebDAV) requests under the > > credentials of the authenticated user, in particular the DELETE > > method. > > > > If user A prepares an HTML page containing code that will issue a > > DELETE request against one of user B's resources, and tricks him/her > > into navigating to that page, the browser will issue the DELETE > > request with B's credentials (no confirmation required).
This is just your typical XSS attack. http://en.wikipedia.org/wiki/Cross_Site_Scripting The solution is to not allow scripts uploaded by one user to be displayed to another user, or to only allow them to be displayed on a site that is unrelated to where you are doing your authenticated edits. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
