[whatwg] Cross-origin JavaScript capability leak in showModalDialog

Adam Barth whatwg at adambarth.com
Thu May 28 11:38:17 PDT 2009

In Step 12 of http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog,
the auxiliary browsing context's return value is transfered from the
auxiliary browsing context to whichever script called showModalDialog
without regard for the origin of these two browsing contexts.  In most
situations, this will let the auxiliary browsing context XSS the
caller of showModalDialog.  Instead, we should perform the same origin
checks and subsequent transformations that we perform on the dialog
arguments in step 7.


More information about the whatwg mailing list