> The mechanics of the vulnerability, which Egor's blog does not really communicate effectively what's not effective in my post? As I said attack works as JSONP hijacking. So everything is totally obvious, isn't it.
On Monday, December 2, 2013 4:09:02 PM UTC+7, Alex wrote: > > The mechanics of the vulnerability, which Egor's blog does not really > communicate effectively, are, as I understand them: > > an evil site includes a <script> tag referencing a GETable .js.erb url > from a good site. If the user is logged into the good site via cookies and > has 3rd party cookies enabled, the request will succeed and return js > possibly containing html with data indented to be private between the user > and the good site. This js will execute in the js environment under the > control of the evil site (it can override any function, method), handing > the evil site the intended to be private html. > > This attack is not possible with non js content loaded by XHR or iframes, > as the browser enforces cross-domain restrictions for both, and evil site > will not be able to get at good site's content. > > On Monday, December 2, 2013 3:41:07 AM UTC-5, Andy White wrote: >> >> >> On 2 Dec 2013, at 03:42, Egor Homakov <[email protected]> wrote: >> >> > What I actually want is to make people understand and check if they >> have this problem. Deprecation is on of the means to do it. >> >> No, it isn't. Deprecation means we intend to remove that feature in the >> next major release, which we don't want to do. Single-page apps maybe the >> latest hotness but that doesn't invalidate the previous two decades of web >> development. We didn't remove forms when CSRF attacks were developed, we >> developed protections against them. This is exactly the same scenario - we >> need to develop useful, easy to use protections that we can enable by >> default. >> >> Egor, can you clarify one point for me - you mention that JS templates >> allow stealing of the CRSF token if they return a form, but surely that >> would true even for HTML templates? >> >> >> Andrew >> >> -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
