System.download [was ...]
vitteaymeric at gmail.com
Fri Jul 13 01:39:30 PDT 2012
Le 12/07/2012 01:17, Jason Orendorff a écrit :
> On Mon, Jul 9, 2012 at 6:04 PM, Aymeric Vitte <vitteaymeric at gmail.com> wrote:
>> If the answer is that it is not possible because of the same origine policy,
>> then it is not difficult to show that this policy can be broken already, by
>> some "manipulations", then it's better to have something clean.
> Please do explain what "manipulations" you have in mind here.
> As I understand it, the same-origin policy is what prevents other web
> sites you visit from sending HTTP requests to your bank (for example),
> with your login cookie attached, and looking at the responses. It
> seems like it would be a major security hole if that could be easily
Your example is specific, you need first to get the bank cookie which is
not easy. More generally, MDN docs state :
"The same origin policy prevents a document or script loaded from one
origin from getting or setting properties of a document from another
Then same MDN docs say :
"|window.postMessage| is a method for safely enabling cross-origin
communication. Normally, scripts on different pages are only allowed to
access each other if and only if the pages which executed them are at
locations with the same protocol (usually both |http|), port number
(|80| being the default for |http|), and host (modulo document.domain
<https://developer.mozilla.org/en/DOM/document.domain> being set by both
pages to the same value). |window.postMessage| provides a controlled
mechanism to circumvent this restriction in a way which is secure when
Then for example postMessage is breaking the first statement, not saying
that it is not usefull, we did use it here
http://extractwidget.com/#demo, you go on a site, inject the code,
select your gadget and then via iframe and postMessage you login and
record the gadget on our site, but "which is secure when properly used"
indicates that some bad uses could be made.
There is the cross domain xhr with access control too.
But coming back to my point, I am not talking about a download like a
xhr where you can set cookies, do post requests, etc, just a download
that fetch the source, so I don't see it more dangerous than script or
img fetching (or System.load) for example.
Email : avitte at jcore.fr
Web : www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss