Well, Anne, as I said in the previous paragraph, the one you deleted, I'm considering an application that does its messaging via XMLHttpRequest.
Sheesh. --Tyler On Mon, Apr 6, 2009 at 4:47 PM, Anne van Kesteren <ann...@opera.com> wrote: > On Tue, 07 Apr 2009 01:37:05 +0200, Tyler Close <tyler.cl...@gmail.com> > wrote: >> >> I don't have any numbers, but I believe using a plaintext password in >> the request body or URL is a fairly common design in web applications. >> I certainly see it in a lot of protocol documentation. Before CORS, >> there was no threat of this password being sent to the wrong site, >> since the client code could only message with the one site. Now the >> attacker can instruct the browser to message with additional sites. > > That's wrong actually. There are plenty of ways to send messages > cross-origin nowadays: > > * <img src> > * <iframe src> > * <object data> > * <embed src> > * <form action> > * <script src> > * 'background-image' > * 'cursor' > * 'list-style-image' > * ... > > (All can be instantiated from script, in case that was not clear.) > > > -- > Anne van Kesteren > http://annevankesteren.nl/ >