Consider a site for frontend devs/designers to host their portfolio apps – pages with arbitrary JS, each hosted on a user’s separate profile.
What attack vectors would that enable against the site? Some suggestions and comments:
- Defacing the site (user’s own profile, not interesting)
- Phishing (by rewriting the UI to ask for credentials while using the safe domain)
- Credential theft of user logged-in users, by pulling auth cookies (irrelevant if auth cookies are HTTP-only?)
- Request forgery (by triggering a POST request from within the approved domain)