So the issue is not confidentiality, it is inappropriate script
execution. Got it.
Thanks Anne
regards, Frederick
Frederick Hirsch
Nokia
On Jul 1, 2009, at 5:34 AM, ext Anne van Kesteren wrote:
I might not have time to address your larger set of questions before I
leave on vacation tomorrow, but I thought I could at least answer
this one.
On Tue, 30 Jun 2009 17:38:20 +0200, Frederick Hirsch
<frederick.hir...@nokia.com> wrote:
One additional question regarding a cross-site get (using browser
here
for simplicity of terms) (for example, see [1])
Is it true that
1. the GET results in the content being returned on the wire with a
Access-Control-Allow-Origin header
2. the browser then checks this header and enforces policy
3. if policy disallows then the browser does not allow the content
to be
used.
Yes, this is correct.
In any case, doesn't this open an attack to get the content by
sniffing
the wire for the response content, regardless of the header?
If that is a viable attack scenario such servers are already exposed
due
to e.g. cross-origin <img> or <iframe> loading which already works
today.
Or e.g. by simply setting window.location to the address from which
you
want to sniff the response.
All the header is effectively protecting is exposing the "raw"
contents of
a cross-origin resource to script.
[1] http://arunranga.com/examples/access-control/SimpleXSInvocation.txt
--
Anne van Kesteren
http://annevankesteren.nl/
