W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 15 Feb 2011 16:59:03 +0000
Message-ID: <AANLkTimpZYZnvdv5akJz6wW4SBsEaS30jN+P-_CLVorv@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 15 February 2011 15:08, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> He sets the url to a script which has CSP enabled to provide same origin
>
>> restrictions
>>
>
> Yes, but he never lets it load, so those restrictions never take effect.
>
>
>          try {
>>             ifr.contentDocument.documentElement.innerHTML=src;
>>
>>    Given that you immediately do this?
>>
>> I think you might be confused with sdc's naming conventions, "src"
>> actually refers to the source code supplied not the url of the iframe.
>>
>
> No, I'm not confused.  He sets the iframe's src to something, then without
> waiting for that something to load sets the innerHTML of the about:blank
> document that's in the iframe right now.  Which raises the question of why
> he bothered setting the iframe's src in the first place.  Which is the
> question I asked


Apologies I must admit I didn't try the code
Received on Tuesday, 15 February 2011 17:07:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 17:07:02 GMT