W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 3 Apr 2012 00:25:43 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1204030024280.17364@ps20323.dreamhostps.com>
On Mon, 2 Apr 2012, Boris Zbarsky wrote:
> On 4/2/12 7:39 PM, Ian Hickson wrote:
> > > For example, an attacker could open a window on a victim web page. 
> > > The victim web page then opens an<iframe> on a content URL that 
> > > triggers RPH. The attacker then navigates the<iframe> so that its 
> > > window.location contains a different content URL.
> > 
> > How can the attacker navigate that iframe? Surely it would not be 
> > allowed to navigate it, per the "allowed to navigate" definition in 
> > HTML.
> 
> As far as I can tell UAs seem to allow walking window.frames for any 
> window you have a reference to without performing any same-origin 
> checks, so you can walk your way down the frame hierarchy and then set 
> location.href, which is allowed cross-origin.  I don't see any sort of 
> "allowed to navigate" check happening on the href set in UAs, but maybe 
> I'm testing it wrong?

Ah, yes, good point, I forgot that the attacker would have a reference to 
the Window object.

Seems like it would be just as easy to just register a protocol handler 
though. I mean, why would the victim assume it trusts the handler in this 
scenario?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 2 April 2012 17:25:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:07 GMT