The mechanics of the vulnerability, which Egor's blog does not really communicate effectively, are, as I understand them:
an evil site includes a <script> tag referencing a GETable .js.erb url from a good site. If the user is logged into the good site via cookies and has 3rd party cookies enabled, the request will succeed and return js possibly containing html with data indented to be private between the user and the good site. This js will execute in the js environment under the control of the evil site (it can override any function, method), handing the evil site the intended to be private html. This attack is not possible with non js content loaded by XHR or iframes, as the browser enforces cross-domain restrictions for both, and evil site will not be able to get at good site's content. On Monday, December 2, 2013 3:41:07 AM UTC-5, Andy White wrote: > > > On 2 Dec 2013, at 03:42, Egor Homakov <[email protected] <javascript:>> > wrote: > > > What I actually want is to make people understand and check if they have > this problem. Deprecation is on of the means to do it. > > No, it isn't. Deprecation means we intend to remove that feature in the > next major release, which we don't want to do. Single-page apps maybe the > latest hotness but that doesn't invalidate the previous two decades of web > development. We didn't remove forms when CSRF attacks were developed, we > developed protections against them. This is exactly the same scenario - we > need to develop useful, easy to use protections that we can enable by > default. > > Egor, can you clarify one point for me - you mention that JS templates > allow stealing of the CRSF token if they return a form, but surely that > would true even for HTML templates? > > > Andrew > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
