I know that we can get child or parent iframe document, then modify the dom tree maliciously without same-origin-policy. And Cookie need to be set a domain.
And I read an Article Why is the same origin policy so important?. Here is the part confused me.
Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form.
How to do that? I mean attack another browser tab and get its document.
Aucun commentaire:
Enregistrer un commentaire