Tag Archives: HTML5

HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

Same-Origin Policy is a protection mechanism built in to web browsers to prevent malicious web sites¬†from interacting with web sites we visit. I’ve already written a full explanation of the mechanism here, but the TL;DR is that it allows web origins to make requests to other origins but prevents them from reading the response.

Sometimes, however, we may have a business need to allow two origins that we control to interact with each other. One method to allow communication is HTML5 postMessage¬†which I’ve talked about already, another is Cross Origin Resource Sharing (CORS) and I’ll talk about the security implications of CORS here!

Continue reading: HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities

HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities

HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer!

Continue reading: HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities