System.download [was ...]

Aymeric Vitte vitteaymeric at gmail.com
Fri Jul 13 01:39:30 PDT 2012


Le 12/07/2012 01:17, Jason Orendorff a écrit :
> On Mon, Jul 9, 2012 at 6:04 PM, Aymeric Vitte <vitteaymeric at gmail.com> wrote:
>> If the answer is that it is not possible because of the same origine policy,
>> then it is not difficult to show that this policy can be broken already, by
>> some "manipulations", then it's better to have something clean.
> Please do explain what "manipulations" you have in mind here.
>
> As I understand it, the same-origin policy is what prevents other web
> sites you visit from sending HTTP requests to your bank (for example),
> with your login cookie attached, and looking at the responses. It
> seems like it would be a major security hole if that could be easily
> circumvented.
>
> -j
Your example is specific, you need first to get the bank cookie which is 
not easy. More generally, MDN docs state :

"The same origin policy prevents a document or script loaded from one 
origin from getting or setting properties of a document from another 
origin."

Then same MDN docs say :

"|window.postMessage| is a method for safely enabling cross-origin 
communication. Normally, scripts on different pages are only allowed to 
access each other if and only if the pages which executed them are at 
locations with the same protocol (usually both |http|), port number 
(|80| being the default for |http|), and host (modulo document.domain 
<https://developer.mozilla.org/en/DOM/document.domain> being set by both 
pages to the same value). |window.postMessage| provides a controlled 
mechanism to circumvent this restriction in a way which is secure when 
properly used."

Then for example postMessage is breaking the first statement, not saying 
that it is not usefull, we did use it here 
http://extractwidget.com/#demo, you go on a site, inject the code, 
select your gadget and then via iframe and postMessage you login and 
record the gadget on our site, but "which is secure when properly used" 
indicates that some bad uses could be made.

There is the cross domain xhr with access control too.

But coming back to my point, I am not talking about a download like a 
xhr where you can set cookies, do post requests, etc, just a download 
that fetch the source, so I don't see it more dangerous than script or 
img fetching (or System.load) for example.

-- 
jCore
Email :  avitte at jcore.fr
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20120713/1827e8c5/attachment.html>


More information about the es-discuss mailing list