[cap-talk] CORS and GIFAR attacks
Sandro Magi
naasking at higherlogics.com
Wed Oct 7 12:26:36 EDT 2009
Adam Barth wrote:
> Yes. GIFAR breaks all browser security mechanisms because the
> attacker gets to run arbitrary script with the privileges of the
> victim web site. We shouldn't view this as a problem with CORS but as
> a problem with GIFAR or the web security model in general.
And yet, I can't help but note that the unique token approaches
suggested by myself and David Chizmadia would not be vulnerable to any
such attacks, since we already assume that the client may be hostile.
I do not think such an assumption is pessimistic in the least, while
CORS-type proposals which depend on client correctness seem overly
optimistic.
Sandro
More information about the cap-talk
mailing list