W3C home > Mailing lists > Public > public-html@w3.org > August 2008

Re: DOM traversal ambiguity question

From: Ory Segal <orysegal@gmail.com>
Date: Mon, 18 Aug 2008 09:29:06 +0300
Message-ID: <a9a26b7b0808172329u6a3ac587u3cbf5ff8a3585325@mail.gmail.com>
To: "Boris Zbarsky" <bzbarsky@mit.edu>
Cc: public-html@w3.org

As my previous email mentioned, the child cannot set/get any objects on the
parent, but it can still query for their existence, which means that:

if ( parent.someObject )

will still return TRUE/FALSE.

This is what enables the attack I have mentioned in my original blog post,
and that is the root cause of the problem.


On Mon, Aug 18, 2008 at 4:51 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> Ory Segal wrote:
>> ( Note - assuming that the child and the parent documents originate from
>> the same domain
> ...
>> Functionally speaking, the problem is not so severe, but there are
>> security implications to this ambiguity - a malicious parent document (not
>> from the same domain)
> I'm not sure how to reconcile those two things.  If the parent is not from
> the same domain, the child can't access things in it, and there is no
> problem, no?
> -Boris
Received on Monday, 18 August 2008 06:31:14 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:37 UTC