I think Opera would have been the last to change. I'm not sure of IE because early versions of IE have poor ECMAscript support. You'd might override Array(), but I doubt you can override Object with the __defineGetter__.
On May 17, 2012, at 9:37 AM, Chris Steipp wrote: > On Thu, May 17, 2012 at 6:32 AM, Andrew Garrett <[email protected]>wrote: > >> On Thu, May 17, 2012 at 11:19 PM, Daniel Friesen >> <[email protected]>wrote: >> >>>> >>> >>> Yes. Except you can get tokens by the api. If we didn't drop permissions >>> to anon and reject requests for tokens to JSONP then it would be possible >>> for a 3rd party website to use JSONP to extract an edit token, and then >>> initiate a background iframe form POST to make an edit under your >> account. >> >> >> Read up. :) >> >> Terry/Roan mentioned that you can use regular JSON output format, and >> override the property setter to steal the data. >> >> > > We've tried to make sure that there is no way to pull the edit token cross > site. That would be a violation of our security assumptions, so we would > try to fix it asap. > > I've actually been looking at the override attack in my spare time for the > past few weeks (since I found out the edit token as available in json). I > haven't been able to find a browser that it works in yet, although I'm > suspicious of IE 6/7 and haven't had the time to test yet. If someone does > find a working example for a specific browser, please do notify me! > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
