I am reading another answer on this website.
It says:
Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form.
I'm not able to understand how can the malicious domain access facebook account from a different tab and how does SOP protect against this ?
The malicious domain is free to send a GET/POST request to facebook.com, and the browser will attach a cookie for facebook if available. But then wouldn't the problem be due to facebook's server side protection (CSRF scenario) ? How does SOP help in this case ?
Aucun commentaire:
Enregistrer un commentaire