The XHR API is capable of making Cross domain calls now thanks to HTML5. There
are applications that include user controlled data as the request URL in
XHR.open().
This was assumed to be safe because this value could only be set to file hosted
on the same domain. But with HTML5 this value can be set to file on an attacker
controlled domain.
Real life example on touch.facebook.com: http://m-austin.com/blog/?p=19
Server-side ESAPI provides secure equivalent of the request and response
object. Similarly ESAPI4JS can provide a secure equivalent of XMLHttpRequest
object by turning off support of COR by default(a little similar to this -
http://myappsecurity.blogspot.com/2007/01/ajax-sniffer-prrof-of-concept.html).
A new property can be added to the extended XHR API called 'cor'. Only if this
flag is set would Cross Domain Requests be allowed. As explained towards the
end of this post -
http://blog.andlabs.org/2010/08/xssing-client-side-dynamic-html.html
Ideally this change must be made to the underlying API itself but until then
ESAPI4JS can fill the gap I guess.
Original issue reported on code.google.com by l...@andlabs.org on 24 Aug 2010 at 7:10
Original issue reported on code.google.com by
l...@andlabs.org
on 24 Aug 2010 at 7:10