[whatwg] Cross-origin JavaScript capability leak in showModalDialog
Adam Barth
whatwg at adambarth.com
Thu May 28 11:38:17 PDT 2009
In Step 12 of http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog,
the auxiliary browsing context's return value is transfered from the
auxiliary browsing context to whichever script called showModalDialog
without regard for the origin of these two browsing contexts. In most
situations, this will let the auxiliary browsing context XSS the
caller of showModalDialog. Instead, we should perform the same origin
checks and subsequent transformations that we perform on the dialog
arguments in step 7.
Adam
More information about the whatwg
mailing list