[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

On Mon, 2 Apr 2012, Boris Zbarsky wrote:
> On 4/2/12 7:39 PM, Ian Hickson wrote:
> > > For example, an attacker could open a window on a victim web page. 
> > > The victim web page then opens an<iframe> on a content URL that 
> > > triggers RPH. The attacker then navigates the<iframe> so that its 
> > > window.location contains a different content URL.
> > 
> > How can the attacker navigate that iframe? Surely it would not be 
> > allowed to navigate it, per the "allowed to navigate" definition in 
> > HTML.
> 
> As far as I can tell UAs seem to allow walking window.frames for any 
> window you have a reference to without performing any same-origin 
> checks, so you can walk your way down the frame hierarchy and then set 
> location.href, which is allowed cross-origin.  I don't see any sort of 
> "allowed to navigate" check happening on the href set in UAs, but maybe 
> I'm testing it wrong?

Ah, yes, good point, I forgot that the attacker would have a reference to 
the Window object.

Seems like it would be just as easy to just register a protocol handler 
though. I mean, why would the victim assume it trusts the handler in this 
scenario?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 2 April 2012 17:25:43 UTC