I think Opera would have been the last to change. I'm not sure of IE because early
versions of IE have poor ECMAscript support. You'd might override Array(), but I doubt
you can override Object with the __defineGetter__.
On May 17, 2012, at 9:37 AM, Chris Steipp wrote:
On Thu, May 17, 2012 at 6:32 AM, Andrew Garrett
<agarrett(a)wikimedia.org>wrote;wrote:
On Thu, May 17, 2012 at 11:19 PM, Daniel Friesen
<lists(a)nadir-seen-fire.com>wrote;wrote:
Yes. Except you can get tokens by the api. If we didn't drop permissions
to anon and reject requests for tokens to JSONP then it would be possible
for a 3rd party website to use JSONP to extract an edit token, and then
initiate a background iframe form POST to make an edit under your
account.
Read up. :)
Terry/Roan mentioned that you can use regular JSON output format, and
override the property setter to steal the data.
We've tried to make sure that there is no way to pull the edit token cross
site. That would be a violation of our security assumptions, so we would
try to fix it asap.
I've actually been looking at the override attack in my spare time for the
past few weeks (since I found out the edit token as available in json). I
haven't been able to find a browser that it works in yet, although I'm
suspicious of IE 6/7 and haven't had the time to test yet. If someone does
find a working example for a specific browser, please do notify me!
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l