> On 2 Dec 2013, at 09:32, Michael Pavling <[email protected]> wrote:
> >> On 2 December 2013 09:09, Alex <[email protected]> wrote: >> This attack is not possible with non js content loaded by XHR or iframes, as >> the browser enforces cross-domain restrictions for both, and evil site will >> not be able to get at good site's content. > > If the operators of EvilSite have gone to such lengths to contrive forms and > overridden JS methods to potentially steal a tiny bit of possibly private > HTML and data, could they not take the next small step and use a browser that > *does not* enforce cross-domain restrictions on XHR? (or frankly, write their > hacks with wget or curl) The idea is not that the evil site operators will access their own site themselves, but that they will get legitimate users of your site to visit their evil site (and thereby steal the legitimate users' private data). So, for their ploy to be successful, it needs to work in standard browsers that ordinary users will be using. Chris -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
