[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Sam Mason sam at samason.me.uk
Fri Mar 27 12:02:07 EDT 2009


On Fri, Mar 27, 2009 at 03:42:03PM +0000, Karp, Alan H wrote:
> Sam Mason wrote:
> > In the example given by Chip; what would prevent an attacker from
> > performing an XMLHttpRequest and getting a copy of A for themselves,
> > parsing out the link to page B and going from there?
> 
> Then anyone with access to page A has access to page B and all the
> rights it contains.  There's no need to induce the user to click
> anything.

That's how I understand the original problem.

> In Chip's scenario, page A does not contain the URL for
> page B, just a way to tell some component to open page B in a separate
> window.  Since the URL for page B is unguessable, page B is not
> subject to clickjacking.

The way I read Chip's problem was that the user's browser would end
up receiving an HTML page containing a link to page B.  This would be
accomplished by using whatever ambient authority was available (Chip
suggested cookies, HTTP authentication would seem to work as well) when
it was generated by the server.

Chip?

-- 
  Sam  http://samason.me.uk/


More information about the cap-talk mailing list