- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Fri, 28 Jan 2011 14:26:54 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On 1/28/11 2:05 PM, gaz Heyes wrote: > On 28 January 2011 18:42, Brandon Sterne <bsterne@mozilla.com > <mailto:bsterne@mozilla.com>> wrote: > > I'm also still trying to wrap my head around your <iframe> and <img> > token-stealing attack on the script-nonce approach. > > > Hehe maybe my brain is just weird. Ok the iframe waits for the img > that's why I use onload then a 10 sec delay, the readKey function > basically calls the server side script which receives the result from > the img injection. It's passing from the server to the client iframe, > then the iframe can inject the xss. I understand that is what you are claiming. I grant that your method allows the attacker to read the token from the target site. My question, which you did not respond to, is: If the <iframe> is in a different domain than the target site, how can it inject script into the target site? -Brandon
Received on Friday, 28 January 2011 22:27:58 UTC