Very recently there has been a new paper about what the authors call JavaScript Hijacking. It is about an analysis of several JavaScript frameworks for a cross domain data retrieval vulnerability through the usage of the <script> tag. The paper comes to the conclusion that in nearly all JavaScript frameworks that work with JSON encoded data, the data can be retrieved cross domain via the <script> tag.

While some might consider this news and others do not, the authors very clearly write in their paper that this kind of vulnerability is already discussed in several places. However some malicious bloggers (previous link was wrong) claim that Fortify claims to have found a new class of web-based attacks. Other bloggers, like Chris Shiflett try to disinform people that this is just a CSRF vulnerability used for information disclosure and that you cannot protect from it via the Referer HTTP header because it is spoofable by Flash.

First of all the problem Fortify describes is not bound to CSRF attacks, because it simply describes how data can be retrieved with the <SCRIPT> tag. The described problem is not the possibility to do the request, but the problem that it is possible to retrieve a cross domain answer. And because of this the statement that checking the Referer header is not a possible safeguard because it can be spoofed by for example Flash is completely bogus. It is bogus because Flash has nothing todo with <SCRIPT> tags. And even if you can perform a Flash attack with a spoofed (isn't that problem fixed in latest Flash anyway) Referer header you can still not read the response and that is what the Fortify paper is all about.