On 2 December 2013 09:09, Alex <alxtsk...@gmail.com> wrote: > This attack is not possible with non js content loaded by XHR or iframes, > as the browser enforces cross-domain restrictions for both, and evil site > will not be able to get at good site's content. >
If the operators of EvilSite have gone to such lengths to contrive forms and overridden JS methods to potentially steal a tiny bit of possibly private HTML and data, could they not take the next small step and use a browser that *does not* enforce cross-domain restrictions on XHR? (or frankly, write their hacks with wget or curl) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
