[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Sam Mason sam at samason.me.uk
Sun Mar 29 19:24:52 EDT 2009


On Fri, Mar 27, 2009 at 04:43:47PM -0700, Chip Morningstar wrote:
> Sam Mason <sam at samason.me.uk> wrote:
> > In the example given by Chip; what would prevent an attacker from
> > performing an XMLHttpRequest and getting a copy of A for themselves,
> > parsing out the link to page B and going from there?
> 
> A clickjack attacker's goal is to trick the victim into using authority that
> the victim possesses but the attacker does not.  In this case, the attacker
> can't see the link to Page B because the attacker doesn't have the victim's
> cookie.  If the attacker fetched Page A using XHR, they wouldn't get the
> victim's version of the link, they'd get their own version of the link.

Yes; I forgot about the same-origin policy (as David made more explicit)
that would seem to be thing stopping this attack.

-- 
  Sam  http://samason.me.uk/


More information about the cap-talk mailing list