[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Thu Jun 25 18:40:07 EDT 2009
On Thu, Jun 25, 2009 at 3:37 PM, <ihab.awad at gmail.com> wrote:
> On Thu, Jun 25, 2009 at 3:31 PM, Adam Barth<cap-talk at adambarth.com> wrote:
>> It's not vulnerable using CORS because the authorization can't be
>> transplanted to the user's browser.
>
> I understand. But, unless I misunderstand, it need *not* be
> transplanted in order for it to be a vulnerability. Evil.com may still
> misuse the authority -- just not from the browsers of the users of
> Evil.com.
>
> In fact, #3 shows the Evil.com *server* misusing that authority.
The evil server can always see the raw stock ticker information by
posing as a browser and viewing acme.com.
Adam
More information about the cap-talk
mailing list