Thursday, March 01, 2007

Is XSS in blogger applications serious enough

As I was reading through some of my earlier posts, I came across this post. At the time when I wrote that one, I did not know what blogging was all about. Later when I started using it more and more, adding tools like sitemeter and adsense, I realized that being able to add scripts to your posts is fairly normal.

But then was the post mentioned above totally useless? I don't think so. At the time when I wrote that, if I remember correctly, both the admin panel and your blog used to be on the same domain. Now XSS is significant in such a case. Today I see my admin panel from www2.blogger.com where as my blog is on blogspot.com, but earlier this was not the case. Therefore If I forced you to visit my blog while you were logged in to your admin panel, I could potentially compromise your account.

Thats probably the reason why blogger used this strategy to make use of two different hosts for these functionality now.

2 comments:

kuza55 said...

I'm pretty sure that was never the case, or at least hasn't been for a very long time. I remember when I first set up a blog in 2005 using blogger, it had a .blogspot.com domain, and all the admin stuff was done on blogger.com, at the time it just confused me, but yes, it is most definitely to protect against XSS attacks.

Kishor said...

Thanks kuza55.