Matthew Toseland skrev: >> - not fixing the real problem ( there are other ways to know if you >> are running freenet. >> for example, just include a <img src="http://127.0.0.1:8888"; >> onLoad="freenetLoaded();" /> >> > > IMHO this qualifies as a cross-site scripting attack. Don't browsers have to > prevent this already? Just as you can't access a frame opened to another > site? >
Well, the basic idea of loading an image from another site is perfectly legit. That the port is non-80 does indeed make it look suspicious, but is nevertheless used in legit ways sometimes. The onLoad hook is fine as well. Allowing image loading from localhost when the script is executed from the internet *is* however a security flaw in my eyes :-/. - Zero3
