undefined | Better HN

0 pointsp_ing1y ago0 comments

https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...

Would be an additional method.

Your attack is not new/novel.

0 comments

Not claiming it to be novel or new at all. Just trying to understand. I'll think about CORS. Meanwhile my thought - correct me if I'm wrong, is that CORS would be irrelevant since on behalf of bank.com it is simply controlled by a regular viewer. While the real user is just telling the proxy where to click and what to do.

p_ingOP1y ago

CORS policy would say "okay end user, you can load everything from me, but also get jquery from <some jquery CDN>. no resources can come from anywhere else".

It's not a bad idea to just put in a CSP (always put in a CSP!), CORS policy, and Same-Origin. This is configured on your app rather than server (usually).

MDN is one of the better resources for this, and links out to other authoritative resources in the additional info section of a directive.

vitalipom1y ago

Okay, I’ll give it a try by mocking up an attack on a secure app of mine I’m making. Thanks!!!

j / k navigate · click thread line to collapse

0 comments

vitalipom1y ago

p_ingOP1y ago

CORS policy would say "okay end user, you can load everything from me, but also get jquery from <some jquery CDN>. no resources can come from anywhere else".

It's not a bad idea to just put in a CSP (always put in a CSP!), CORS policy, and Same-Origin. This is configured on your app rather than server (usually).

MDN is one of the better resources for this, and links out to other authoritative resources in the additional info section of a directive.

vitalipom1y ago

Okay, I’ll give it a try by mocking up an attack on a secure app of mine I’m making. Thanks!!!

j / k navigate · click thread line to collapse