On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.cl...@gmail.com>
wrote:
I don't have any numbers, but I believe using a plaintext password in
the request body or URL is a fairly common design in web applications.
I certainly see it in a lot of protocol documentation. Before CORS,
there was no threat of this password being sent to the wrong site,
since the client code could only message with the one site. Now the
attacker can instruct the browser to message with additional sites.
That's wrong actually. There are plenty of ways to send messages
cross-origin nowadays:
* <img src>
* <iframe src>
* <object data>
* <embed src>
* <form action>
* <script src>
* 'background-image'
* 'cursor'
* 'list-style-image'
* ...
(All can be instantiated from script, in case that was not clear.)
--
Anne van Kesteren
http://annevankesteren.nl/
