In reponse to my last post; Cross-Site Dom Form Element Modification here is some background via Wikipedia called the Same Origin Policy. Again, this simply doesn't prevent attacks and the dom is still not safe. Some well informed individuals linked me to The FAQ_SOP for Google's Web Toolkit where it states "While very necessary, this policy also has the side effect of making web developers' lives difficult". I agree with the latter piece of that statement, the preceding "While very necessary" is what I disagree with. So, for instance, lets say I have a form that takes one line of input, being a name. In that form input; I expect a name that can consists of numbers, letters, extended chars and symbols.
No matter what happens; that input box is hijackable. No matter where you try to prevent input into that box from a remote party; so long as it's on the web. That specific input box is prone to attack. I don't care what you do; deny dom access remotely; fine! Just wait for a local attack. Write stuff to a temporary cookie that is read and deleted? Attacker just has to know the cookies name and continuous poll'n. No matter what you do to try and protect the dom you can't because of the very nature of the web. Access control mechanisms work to an extent but it just changes the vector only slightly. What would be better is a way to deny/allow access to the dom based on the HTML itself so one could deny dom access for specific elements!
After the last two days my options are fragment id's, setting up some dns/virtual host workaround or dropping data into a temp cookie to be read on javascript event. Programming for the web sucks ass, this is horse shit! All of this to transfer one 1 line of text between forms because cwarner.dev.nymag.biz:80 and cwarner.dev.nymag.biz:8025 throw up the SOP flag.. It's fucking stupid retarded.
Can someone, anyone, give a good example why denying access to form element properties across sites is a good idea. From where I stand right now there is no good reason for Mozilla to be denying access to form elements across sites. All I see are alot of poor examples where what's passed should be validated. You know validating data? That's just part of it though because using Ajax doesn't change anything at all. See; all it does add an Ajax request/function that exposed or not is still exploitable by an attacker. Then there is Cross-Site XMLHttpRequest, all this does is make a lot more work for people who need to update the elements or dom objects and doesn't solve anything really. "This level of control gives content creators greater amounts of flexibility when it comes to allowing their users to build mashups and applications using their information." What? No it doesn't, it just adds a layer of perceived control and security, which really isn't there. Now, i'm not saying this is totally useless because defining who gets what is useful. Except at the end of the day you don't really control who gets what if it's on the web, unless you are taking the blood of your users and matching dna. The core of the problem still seems to be validation. So why all the goddamn gimmicks?
Same Origin Policy
In reponse to my last post; Cross-Site Dom Form Element Modification here is some background via Wikipedia called the Same Origin Policy. Again, this simply doesn't prevent attacks and the dom is still not safe. Some well informed individuals linked me to The FAQ_SOP for Google's Web Toolkit where it states "While very necessary, this policy also has the side effect of making web developers' lives difficult". I agree with the latter piece of that statement, the preceding "While very necessary" is what I disagree with. So, for instance, lets say I have a form that takes one line of input, being a name. In that form input; I expect a name that can consists of numbers, letters, extended chars and symbols.
No matter what happens; that input box is hijackable. No matter where you try to prevent input into that box from a remote party; so long as it's on the web. That specific input box is prone to attack. I don't care what you do; deny dom access remotely; fine! Just wait for a local attack. Write stuff to a temporary cookie that is read and deleted? Attacker just has to know the cookies name and continuous poll'n. No matter what you do to try and protect the dom you can't because of the very nature of the web. Access control mechanisms work to an extent but it just changes the vector only slightly. What would be better is a way to deny/allow access to the dom based on the HTML itself so one could deny dom access for specific elements!
After the last two days my options are fragment id's, setting up some dns/virtual host workaround or dropping data into a temp cookie to be read on javascript event. Programming for the web sucks ass, this is horse shit! All of this to transfer one 1 line of text between forms because cwarner.dev.nymag.biz:80 and cwarner.dev.nymag.biz:8025 throw up the SOP flag.. It's fucking stupid retarded.