- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 3 Jul 2014 19:00:36 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Boris Zbarsky <bzbarsky@mit.edu>
On Tue, Jun 3, 2014 at 12:21 AM, Jonas Sicking <jonas@sicking.cc> wrote: > srcdoc is like eval(). Yes, it's definitely a tool that enables you to > run 3rd party code in your own context and with your own principal. > However whenever you use the feature you (should) know that it's > running code in your own context and with your own principal. So > hopefully pages will make sure to not pass untrusted 3rd party code to > neither srcdoc nor eval(). > > We've seen this happen internally in Gecko where chrome code will get > XSSed by being tricked to load data URLs. And I've been trying to move > us towards only allowing data: to run with a chrome principal if > chrome code explicitly opts in to that. > > I don't see why websites wouldn't face the same challenges and why the > same solution wouldn't work there. What about: <iframe src=javascript:alert(top.document.title)></iframe> It seems that has the same issue. -- http://annevankesteren.nl/
Received on Thursday, 3 July 2014 17:01:03 UTC