- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 02 Apr 2012 20:21:45 -0400
On 4/2/12 7:39 PM, Ian Hickson wrote: >> For example, an attacker could open a window on a victim web page. The >> victim web page then opens an<iframe> on a content URL that triggers >> RPH. The attacker then navigates the<iframe> so that its >> window.location contains a different content URL. > > How can the attacker navigate that iframe? Surely it would not be allowed > to navigate it, per the "allowed to navigate" definition in HTML. As far as I can tell UAs seem to allow walking window.frames for any window you have a reference to without performing any same-origin checks, so you can walk your way down the frame hierarchy and then set location.href, which is allowed cross-origin. I don't see any sort of "allowed to navigate" check happening on the href set in UAs, but maybe I'm testing it wrong? -Boris
Received on Monday, 2 April 2012 17:21:45 UTC