[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Thu Jun 25 18:31:20 EDT 2009
On Thu, Jun 25, 2009 at 3:04 PM, <ihab.awad at gmail.com> wrote:
> On Thu, Jun 25, 2009 at 2:59 PM, Adam Barth<cap-talk at adambarth.com> wrote:
>> In #4, I wasn't imagining that the acme users have an account at
>> Google. Imagine the stock ticker running on ACME's home page. It's
>> not really the user's credentials that authorize them to get the raw
>> data for the ticker. It's ACME's.
>
> Ok, so I'm confused: It sounds like what you are imagining is actually
> #2, which would be vulnerable to the attack sketched out in #3. What
> am I missing?
It's not vulnerable using CORS because the authorization can't be
transplanted to the user's browser.
Adam
More information about the cap-talk
mailing list