W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 15 Feb 2011 10:06:09 +0000
Message-ID: <AANLkTindDmGdaPo2tcrJePEv5=FgTJdooG4TvOdqsMO4@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 15 February 2011 07:54, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 2/15/11 2:40 AM, sird@rckc.at wrote:
>
>>     if(navigator.userAgent.match(/Firefox/))
>>         ifr.setAttribute("src","/xss.php?csp&plain_text");
>>
>
> What's the point of that?
>

He sets the url to a script which has CSP enabled to provide same origin
restrictions

     try {
>         ifr.contentDocument.documentElement.innerHTML=src;
>

Given that you immediately do this?
>

I think you might be confused with sdc's naming conventions, "src" actually
refers to the source code supplied not the url of the iframe.
Received on Tuesday, 15 February 2011 10:06:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 10:06:43 GMT