[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

Tyler Close tyler.close at gmail.com
Mon Apr 9 16:28:56 PDT 2012

On Mon, Apr 9, 2012 at 4:23 PM, Tyler Close <tyler.close at gmail.com> wrote:
> On Mon, Apr 9, 2012 at 3:12 PM, Ian Hickson <ian at hixie.ch> wrote:
>> Just wait for the iframe to
>> appear and then navigate it to the mailto: handler with the parameters you
>> want.

That attacker has to navigate the iframe to the RPH handler URL with
the embedded mailto URL, not the mailto URL directly. Using the mailto
URL directly would cause the browser to run through its RPH code a
second time, causing the user to see a second Picker dialog, so the
attack is no longer invisible to the user.


More information about the whatwg mailing list