[whatwg] Fixing two security vulnerabilities in registerProtocolHandler
Tyler Close
tyler.close at gmail.com
Mon Apr 9 16:28:56 PDT 2012
On Mon, Apr 9, 2012 at 4:23 PM, Tyler Close <tyler.close at gmail.com> wrote:
> On Mon, Apr 9, 2012 at 3:12 PM, Ian Hickson <ian at hixie.ch> wrote:
>> Just wait for the iframe to
>> appear and then navigate it to the mailto: handler with the parameters you
>> want.
That attacker has to navigate the iframe to the RPH handler URL with
the embedded mailto URL, not the mailto URL directly. Using the mailto
URL directly would cause the browser to run through its RPH code a
second time, causing the user to see a second Picker dialog, so the
attack is no longer invisible to the user.
--Tyler
More information about the whatwg
mailing list