On Mon, Feb 13, 2012 at 5:28 PM, Daniel Friesen lists@nadir-seen-fire.com wrote:
The idea that login is secure because it's on a separate page than the rest of the site is actually an old mistake. If a script is included ANYWHERE on the site on the same domain then it's possible to inject in some code that will fake pageviews in a way that will let an attacker have a running script when the user follows the login link to the login page. So there isn't really any security advantage of a separate login page over an ajax login. (well ;) unless you're using the separate login page because you have js disabled, then you're safe, heh)
Basically what the issue was is that if you're on an unencrypted HTTP pageview, you cannot trust the login form that gets AJAXed in, even if it submits to HTTPS. If the login form is transferred over HTTP (or the script that loads the login form is transferred over HTTP, or if *anything* comes on HTTP), it's not secure.
Roan