W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2012

[whatwg] Fixing two security vulnerabilities in registerProtocolHandler

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 9 Apr 2012 16:28:56 -0700
Message-ID: <CAKvcKKmfjgBaGkkiazX83ebE38ZnAR_MJP+7shcmfuG3gR2nRg@mail.gmail.com>
On Mon, Apr 9, 2012 at 4:23 PM, Tyler Close <tyler.close at gmail.com> wrote:
> On Mon, Apr 9, 2012 at 3:12 PM, Ian Hickson <ian at hixie.ch> wrote:
>> Just wait for the iframe to
>> appear and then navigate it to the mailto: handler with the parameters you
>> want.

That attacker has to navigate the iframe to the RPH handler URL with
the embedded mailto URL, not the mailto URL directly. Using the mailto
URL directly would cause the browser to run through its RPH code a
second time, causing the user to see a second Picker dialog, so the
attack is no longer invisible to the user.

Received on Monday, 9 April 2012 16:28:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:12 UTC