[whatwg] Cross-origin JavaScript capability leak in showModalDialog
Ian Hickson
ian at hixie.ch
Thu Jun 11 18:21:36 PDT 2009
On Thu, 28 May 2009, Adam Barth wrote:
>
> In Step 12 of
> http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog,
> the auxiliary browsing context's return value is transfered from the
> auxiliary browsing context to whichever script called showModalDialog
> without regard for the origin of these two browsing contexts. In most
> situations, this will let the auxiliary browsing context XSS the caller
> of showModalDialog. Instead, we should perform the same origin checks
> and subsequent transformations that we perform on the dialog arguments
> in step 7.
The return value is always just a string; why is this a problem? Surely
it's more or less equivalent to handling a string passed from a foreign
postMessage() call or some such.
Note that returnValue can also be used as a cross-origin communication
mechanism here; if this is a problem, do you want to track the origin of
the setter and treat it as "" if the origin differs?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list