Plain text considered harmful: A cross-domain exploit

Written by on March 4, 2013 in Experience - No comments

Benjamin Dumke-von der Ehe posted a proof of concept for a cross domain exploit using plain text, available mainly in Firefox using Proxy objects and possibly in Chrome if you enable experimental JavaScript.

mapscreen

The same origin policy prevents a website’s JavaScript from seeing the result of a request made to a different domain. This is essential because that request would send along any cookies stored for that domain. If you happen to be authenticated on the other site, and visit a malicious site, then the evil page could request, say, your account balance summary from the other site.

Leave a Comment