[whatwg] Fixing two security vulnerabilities in registerProtocolHandler
Boris Zbarsky
bzbarsky at MIT.EDU
Mon Apr 2 17:21:45 PDT 2012
On 4/2/12 7:39 PM, Ian Hickson wrote:
>> For example, an attacker could open a window on a victim web page. The
>> victim web page then opens an<iframe> on a content URL that triggers
>> RPH. The attacker then navigates the<iframe> so that its
>> window.location contains a different content URL.
>
> How can the attacker navigate that iframe? Surely it would not be allowed
> to navigate it, per the "allowed to navigate" definition in HTML.
As far as I can tell UAs seem to allow walking window.frames for any
window you have a reference to without performing any same-origin
checks, so you can walk your way down the frame hierarchy and then set
location.href, which is allowed cross-origin. I don't see any sort of
"allowed to navigate" check happening on the href set in UAs, but maybe
I'm testing it wrong?
-Boris
More information about the whatwg
mailing list