back to article Oh, great: There's a new Same Origin Policy exploit for Edge

Edge nemesis, security tester Manuel Caballero from Buenos Aires, has popped the browser again, getting around its Same Origin Policy to steal stored credentials. Over at his Broken Browser blog, Caballero explains that an attacker can fake their originator for a referrer spoof, and “thanks to the existence of data-uris and …

  1. Ken Hagan Gold badge

    This, and the other thousand exploits against JavaScript's security model that have dribbled out at a steady rate over the last 20 years, is why "HTML5 apps" are a bad idea.

    Theoretically, there's no intrinsic problem that anyone can point to. In practice, when the world has spent 20 years trying to plug the holes and is still failing several times per month, there comes a moment when rational players ought to conclude that there perhaps is an intrinsic problem and it is simply that we don't know what it is.

    1. hplasm

      "...perhaps is an intrinsic problem and it is simply that we don't know what it is."

      Is it not bad programming?

    2. TheVogon

      Well thanks for letting all the bad guys know before it is patched...

      Maybe he should get a job with Google?

    3. The First Dave


      What part of this exploit is the fault of JavaScript? As described, the fault lies with Edge

    4. Anonymous Coward
      Anonymous Coward

      "Native apps" are a worse idea.

    5. Orv Silver badge

      I suppose you could stick with native, where instead of many small security holes you just have one big one.

  2. VinceH

    Microsoft Edge

    The faster, safer browser designed for Windows 10.

  3. herman Silver badge

    "The faster, safer browser designed for Windows 10." - Well, compared to Win10, Edge is very fast, safe and secure.

  4. HAL-9000

    The future is secure in our hands

    For those unaware : the interesting bit starts at 58'30'' where microsoft declare their intentions towards security

    Funnily defender drops a bit in the latest test here :

    and serves as a starting point here:


  5. EnviableOne

    The entire issue is that web desingers that once were HTML jockeys are now calling themselves Web Developers and dont have a clue how to program, or about security.

    OWASP top 4 hasnt changed since 2010 (injection, XSS, Insecure object ref, Broken Auth and Session Mgmt)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like