Re: [cors] Protecting benign but buggy client side code
On Sat, 21 Aug 2010 03:59:09 +0200, Devdatta Akhawe wrote: It seems that over here facebook is a benign server that some time in the past assumed that XHR can only be same origin, and with the introduction of cross origin XHR is suddenly vulnerable to XSS. In general, a client needs to 'add' stuff to its js to be safe after the introduction of XHR. This isn't ideal. Yeah, this was discussed some time ago on this list already. We decided this risk was minor enough, especially now lots of shipping clients expose this already. -- Anne van Kesteren http://annevankesteren.nl/
[cors] Protecting benign but buggy client side code
Hi The CORS specification in its current form seems to be very concerned about increasing attack surface of benign servers (the preflight request etc. concern). Seeing [1] I am concerned about the other case - benign clients and malicious cross origin servers. for the tl;dr crowd - my (possibly wrong) summary of the attack facebook.com loads content using the stuff after a '#' in a URL, thus facebook.com/#profile.php loads content from facebook.com/profile.php using XHR. a URL like facebook.com/#evil.com/evil.php , with evil.com configured to "AccessControlAllowOrigin *" could result in HTML injection. It seems that over here facebook is a benign server that some time in the past assumed that XHR can only be same origin, and with the introduction of cross origin XHR is suddenly vulnerable to XSS. In general, a client needs to 'add' stuff to its js to be safe after the introduction of XHR. This isn't ideal. Regards devdatta [1] http://m-austin.com/blog/?p=19
