[Catalyst] Re: CSRF
Moritz Onken
onken at houseofdesign.de
Wed Oct 1 14:22:23 BST 2008
Am 01.10.2008 um 14:20 schrieb Jonathan Rockway:
> * On Wed, Oct 01 2008, Moritz Onken wrote:
>> I imagine a case where the attacker's site opens a iframe to your
>> site which exploits a XSS issue and can send the hole form
>> information back to the attacker's site. He has now the HMAC and
>> the random string.
>
> I was under the impression that you could open an iframe to someone
> else's site and manipulate it from javascript running on your own
> site,
> without relying on any vulnerabilities on that site. Maybe not?
> Maybe
> flash can do this? (Why do we even have iframes? For serving ads?)
Hi Jonathan,
you cannot access data on a different frame via javascript if it's not
from the same server. This is called the same origin policy and is also
applicable to iframes.
greetings
moritz
More information about the Catalyst
mailing list