I think Opera would have been the last to change. I'm not sure of IE because early versions of IE have poor ECMAscript support. You'd might override Array(), but I doubt you can override Object with the __defineGetter__.
On May 17, 2012, at 9:37 AM, Chris Steipp wrote:
On Thu, May 17, 2012 at 6:32 AM, Andrew Garrett agarrett@wikimedia.orgwrote:
On Thu, May 17, 2012 at 11:19 PM, Daniel Friesen lists@nadir-seen-fire.comwrote:
Yes. Except you can get tokens by the api. If we didn't drop permissions to anon and reject requests for tokens to JSONP then it would be possible for a 3rd party website to use JSONP to extract an edit token, and then initiate a background iframe form POST to make an edit under your
account.
Read up. :)
Terry/Roan mentioned that you can use regular JSON output format, and override the property setter to steal the data.
We've tried to make sure that there is no way to pull the edit token cross site. That would be a violation of our security assumptions, so we would try to fix it asap.
I've actually been looking at the override attack in my spare time for the past few weeks (since I found out the edit token as available in json). I haven't been able to find a browser that it works in yet, although I'm suspicious of IE 6/7 and haven't had the time to test yet. If someone does find a working example for a specific browser, please do notify me! _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l