> Users: > * switch off Javascript (and any other active content) > * avoid pages unusable without active content > > Developers: > * always offer working alternatives to active content (page > must be usable with no JS, no Java, no Flash (I won't talk > about other client-side monsters here). > * convince your bosses/clients that (X)HTML/CSS is enough to > make beautiful and usable pages. > > OK, now call me names :-) > Neither of these options will work. Consider this scenario. 1) Joe Bloggs logs into my website and has an active session. 2) Clicks on a link (either from an email or from content posted on my site) to http://www.malicious-site.com/index.html 3) That index page contains an <img src="/logo.gif" /> tag 3) Instead of serving the image, the server at www.malicious-site.com issues a 302 HTTP Status code which redirects Joe Bloggs to http://my.website.com/change_password?new_password=abcde So his password gets changed, because this is coming from a live session, the request his from his own browser and sends the session cookie, and he doesn't see the image because it the return page isn't an image.
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.