January 12, 2018 11:07 PM, "Paul Fertser" <fercer...@gmail.com> wrote:
> Hey Josef, > > Nice one, thank you. Good thing I'm running noscript. > Note that you technically don't need to use javascript to make the request - see https://bouk.co/blog/hacking-developers/ for a plain <form>-based version. > BTW, what is the real and proper fix for this kind of attacks? To me > it sounds like the web-browser itself shouldn't be able to send any > requests with a JS loaded from one website to other hosts. > I don't think there is any application-side "nice" fix. A simple heuristic on the browser side such as "don't allow websites from not-localhost to make request to anywhere localhost" would surely help in most (but not all) cases, I am not sure why modern browsers don't implement that. (see this related twitter thread https://twitter.com/taviso/status/951537891372556288 ) There are also the "unsafe" (irc, smtp...) ports which modern browsers refuse to connect to. > -- > Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software! > mailto:fercer...@gmail.com ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ OpenOCD-devel mailing list OpenOCD-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openocd-devel