W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: DOM traversal ambiguity question

From: Ory Segal <orysegal@gmail.com>
Date: Mon, 18 Aug 2008 09:29:06 +0300
Message-ID: <a9a26b7b0808172329u6a3ac587u3cbf5ff8a3585325@mail.gmail.com>
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: public-html@w3.org
Hi,

As my previous email mentioned, the child cannot set/get any objects on the
parent, but it can still query for their existence, which means that:

if ( parent.someObject )

will still return TRUE/FALSE.

This is what enables the attack I have mentioned in my original blog post,
and that is the root cause of the problem.

-Ory



On Mon, Aug 18, 2008 at 4:51 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> Ory Segal wrote:
>
>> ( Note - assuming that the child and the parent documents originate from
>> the same domain
>>
> ...
>
>> Functionally speaking, the problem is not so severe, but there are
>> security implications to this ambiguity - a malicious parent document (not
>> from the same domain)
>>
>
> I'm not sure how to reconcile those two things.  If the parent is not from
> the same domain, the child can't access things in it, and there is no
> problem, no?
>
> -Boris
>
Received on Monday, 18 August 2008 06:31:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:22 GMT