Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass

[Michal Zalewski <lcamtuf () coredump cx>]

> Eh, you can see where it came from though. Design bugs like this are absolutely miserable to fix (see how we'll never 
> get rebinding out of the browser) and letting identical IP's script against eachother lets an awful lot of legitimate 
> traffic through while blocking almost all attacks.
>
> I'm not saying it's a preferred design, but let's reserve "horrible" for things that don't have quite the obvious 
> thought process behind them.

"Horrible" in the sense it had significant consequences for the safety
of all Internet users, for at least a decade (ever since HTTP vhosts
became reasonably popular, which must be what, late 90s).

I don't really question the thought process - although it's
interesting to see that almost all attempts to redefine / reinvent SOP
led to significant issues over the years. This is not merely the fault
of plugin vendors, by the way - the incompatibility between DOM SOP
and cookie "SOP" pose some very interesting and underappreciated
problems for many classes modern web apps. And it's certainly not
unique to SOP, too:

http://lcamtuf.blogspot.com/2010/10/attack-of-monster-frames-mini.html

Anyway...

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/