What is the security risk when accessing an external javascript image?

Question

What is the security risk when accessing an external javascript image?

Using javascript, you cannot convert an image (hosted in a different domain than the one from which javascript is created) to canvas.

What is a security risk? You can’t just avoid phishing, right?

+4

javascript security cross-domain

r0u1i Aug 11 '11 at 12:28

source share

2 answers

There is one tricky attack vector associated with external images: someone can send an image that will be downloaded from an external resource that they control. After some time, this URL can be changed to return a request for basic HTTP authentication. Thus, other users will see windows asking for their username and password. Some users, especially inexperienced ones, can enter the credentials of the attacking resources, which will be sent to the attacker. Therefore, be careful with external resources.

0

bjornd Aug 11 '11 at 12:41

source share

Gareth · Accepted Answer · 2011-08-11T12:36:10+0000

The same origin rule prohibits access to deleted data from another domain. One of the main attacks that this stops is the ability to bypass the user's login, waiting for them to be registered on another site, and then copy your request to their authenticated session.

Whether the downloaded data will be an HTML fragment, an image file or anything else, it is blocked, so you cannot use it in any way (for example, by checking the pixel data of the image thus obtained)

What is the security risk when accessing an external javascript image?

More articles: