Re: applet security connecting to hosts

[Jeremiah Grossman <jeremiah () whitehatsec com>]

I think what you are encountering is the "same-origin" policy  
implemented by the browser (Mozilla/IE). The quote and links below  
should help answer your question. But, even with the same-origin  
restriction in place, its possible to make off-domain requests using  
any number of ways just as you mention. Such as opening up a new window  
or frame. Images can also serve this purpose as well.

What you can't do (almost certain of) is read data from an off-domain  
window or http request.



"The same-origin policy is a fairly severe restriction, but it is  
necessary to prevent scripts from stealing proprietary information.  
Without this restriction, an untrusted script (perhaps a script loaded  
through a firewall into a browser on a secure corporate intranet) in  
one window could use DOM methods to read the contents of documents in  
other browser windows, which might contain private information."
http://d0om.fnal.gov/d0admin/doctaur/dtdocs/p-langs/web_prog_bookshelf/ 
jscript/ch21_03.htm

http://www.mozilla.org/projects/security/components/same-origin.html


Regards,

Jeremiah-



On Sunday, March 6, 2005, at 10:40  PM, F Lace wrote:

> hello!
> An unsigned applet cannot connect to a host other than the originating
> host. "connect" in the sense, it cannot use Socket or URLConnection.
> But it can open any URL in some other window/frame, using
> Appletcontext.showDocument. There is no restriction here, as the
> applet is directing the browser to open the URL in an other window,
> and the applet itself wont have access to it.
>
> First off, can someone explain the security issue if an unsigned
> applet connects to a different host?
> Now the subject of this email: With LiveConnect possible, it is easy
> to get access to the content of the window that showDocument has
> opened. Am I missing something or is this a security issue?
>
> Thanks.