[whatwg] Fixing two security vulnerabilities in registerProtocolHandler
Ian Hickson
ian at hixie.ch
Mon Apr 2 17:25:43 PDT 2012
On Mon, 2 Apr 2012, Boris Zbarsky wrote:
> On 4/2/12 7:39 PM, Ian Hickson wrote:
> > > For example, an attacker could open a window on a victim web page.
> > > The victim web page then opens an<iframe> on a content URL that
> > > triggers RPH. The attacker then navigates the<iframe> so that its
> > > window.location contains a different content URL.
> >
> > How can the attacker navigate that iframe? Surely it would not be
> > allowed to navigate it, per the "allowed to navigate" definition in
> > HTML.
>
> As far as I can tell UAs seem to allow walking window.frames for any
> window you have a reference to without performing any same-origin
> checks, so you can walk your way down the frame hierarchy and then set
> location.href, which is allowed cross-origin. I don't see any sort of
> "allowed to navigate" check happening on the href set in UAs, but maybe
> I'm testing it wrong?
Ah, yes, good point, I forgot that the attacker would have a reference to
the Window object.
Seems like it would be just as easy to just register a protocol handler
though. I mean, why would the victim assume it trusts the handler in this
scenario?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list