[whatwg] <object> behavior

Ben Laurie benl at google.com
Fri Oct 16 14:56:40 PDT 2009


On Fri, Oct 16, 2009 at 5:48 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 10/16/09 4:12 PM, Ben Laurie wrote:
>>
>> I realise this is only one of dozens of ways that HTML is unfriendly
>> to security, but, well, this seems like a bad idea - if the page
>> thinks it is embedding, say, some flash, it seems like a pretty bad
>> idea to allow the (possibly untrusted) site providing the "flash" to
>> run whatever it wants in its place.
>
> This cuts both ways.  If a site allows me to upload images and I upload an
> HTML file with some script in it and tell it it's a GIF (e.g. via the name)
> an then put an <object type="text/html"
> data="http://this.other.site/my.gif"> on my site...  then I just injected
> script into a different domain if we let @type override the server-provided
> header.
>
> This is, imo, a much bigger problem than that of people embedding content
> from an untrusted site and getting content X instead of content Y,
> especially because content X can't actually access the page that contains
> it, right?

Flash can, for example.

>
> -Boris
>



More information about the whatwg mailing list