W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Apr 2012 20:21:45 -0400
Message-ID: <4F7A4299.1020507@mit.edu>
On 4/2/12 7:39 PM, Ian Hickson wrote:
>> For example, an attacker could open a window on a victim web page. The
>> victim web page then opens an<iframe>  on a content URL that triggers
>> RPH. The attacker then navigates the<iframe>  so that its
>> window.location contains a different content URL.
>
> How can the attacker navigate that iframe? Surely it would not be allowed
> to navigate it, per the "allowed to navigate" definition in HTML.

As far as I can tell UAs seem to allow walking window.frames for any 
window you have a reference to without performing any same-origin 
checks, so you can walk your way down the frame hierarchy and then set 
location.href, which is allowed cross-origin.  I don't see any sort of 
"allowed to navigate" check happening on the href set in UAs, but maybe 
I'm testing it wrong?

-Boris
Received on Monday, 2 April 2012 17:21:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT