- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 15 Feb 2011 10:08:25 -0500
- To: gaz Heyes <gazheyes@gmail.com>
- CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 2/15/11 5:06 AM, gaz Heyes wrote:
> On 15 February 2011 07:54, Boris Zbarsky <bzbarsky@mit.edu
> <mailto:bzbarsky@mit.edu>> wrote:
>
> On 2/15/11 2:40 AM, sird@rckc.at <mailto:sird@rckc.at> wrote:
>
> if(navigator.userAgent.match(/Firefox/))
> ifr.setAttribute("src","/xss.php?csp&plain_text");
>
> What's the point of that?
>
> He sets the url to a script which has CSP enabled to provide same origin
> restrictions
Yes, but he never lets it load, so those restrictions never take effect.
> try {
> ifr.contentDocument.documentElement.innerHTML=src;
>
> Given that you immediately do this?
>
> I think you might be confused with sdc's naming conventions, "src"
> actually refers to the source code supplied not the url of the iframe.
No, I'm not confused. He sets the iframe's src to something, then
without waiting for that something to load sets the innerHTML of the
about:blank document that's in the iframe right now. Which raises the
question of why he bothered setting the iframe's src in the first place.
Which is the question I asked.
-Boris
Received on Tuesday, 15 February 2011 16:45:16 UTC