W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 15 Feb 2011 10:08:25 -0500
Message-ID: <4D5A96E9.40109@mit.edu>
To: gaz Heyes <gazheyes@gmail.com>
CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 2/15/11 5:06 AM, gaz Heyes wrote:
> On 15 February 2011 07:54, Boris Zbarsky <bzbarsky@mit.edu
> <mailto:bzbarsky@mit.edu>> wrote:
>
>     On 2/15/11 2:40 AM, sird@rckc.at <mailto:sird@rckc.at> wrote:
>
>              if(navigator.userAgent.match(/Firefox/))
>                  ifr.setAttribute("src","/xss.php?csp&plain_text");
>
>     What's the point of that?
>
> He sets the url to a script which has CSP enabled to provide same origin
> restrictions

Yes, but he never lets it load, so those restrictions never take effect.

>          try {
>              ifr.contentDocument.documentElement.innerHTML=src;
>
>     Given that you immediately do this?
>
> I think you might be confused with sdc's naming conventions, "src"
> actually refers to the source code supplied not the url of the iframe.

No, I'm not confused.  He sets the iframe's src to something, then 
without waiting for that something to load sets the innerHTML of the 
about:blank document that's in the iframe right now.  Which raises the 
question of why he bothered setting the iframe's src in the first place. 
  Which is the question I asked.

-Boris
Received on Tuesday, 15 February 2011 16:45:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 16:45:21 GMT