[wp-hackers] Any other way to do it? (or, do we really need Nonces?)

Elliotte Harold elharo at metalab.unc.edu
Fri Mar 2 19:04:28 GMT 2007

Russ (YAR) Gilman-Hunt wrote:

> A lot of Ajax implementations use POST to communicate; that qualifies
> to me as "without human intervention." However, my brain doesn't work
> towards nefarious purposes very easily, so I'm "just sayin" -- not that
> I know how someone would use it.

There are some restrictions on exactly who XmlHttpRequest can POST to. 
In particular at the default security level it can only POST back to the 
site from which the script came.

However there's something in JSON that allows at least occasional 
tunneling around that. As I said, I'm not a big JavaScript person so I'm 
not sure if this is or isn't bulletproof, or exactly how it applies 
here. More research is needed.



I *think* the net effect here is that site foo cannot post a form that 
includes my authentication cookies to site bar without me explicitly 
pushing a button. If there is a way to hack around this, I think it 
would be classified as a security bug by browser vendors, and would be 

Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!

More information about the wp-hackers mailing list