Category: HTML5

HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

Same-Origin Policy is a protection mechanism built in to web browsers to prevent malicious web sites from interacting with web sites we visit. I’ve already written a full explanation of the mechanism here, but the TL;DR is that it allows web origins to make requests to other origins but prevents them from reading the response.

Sometimes, however, we may have a business need to allow two origins that we control to interact with each other. One method to allow communication is HTML5 postMessage which I’ve talked about already, another is Cross Origin Resource Sharing (CORS) and I’ll talk about the security implications of CORS here!

Continue reading: HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities

HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer!

Continue reading: HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities