[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

Henri Sivonen <hsivonen@iki.fi> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hsivonen@iki.fi

--- Comment #5 from Henri Sivonen <hsivonen@iki.fi> 2011-04-12 05:55:18 UTC ---
(In reply to comment #4)
> Secondly, this exploit conforms to the DOM same-origin policy because the
> external script/page is not included directly in the website (it’s in the
> iFrame), cross-site messaging is allowed and the injected code appears to be
> the normal construct of the page. In the case of a stored/persistent XSS attack
> this would make it invisible to browser-based XSS detection, such as those
> employed by IE and Safari.

This is not quite so. With cross-document messaging, the user of the API is
responsible for checking that the "message" events come from an origin the page
trusts if the page does something that requires trusted message data. Passing
the message data to innerHTML or document.write is dangerous, so you should be
checking that event.origin is trusted in recvPayload. That you don't is a
security bug in your code.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Tuesday, 12 April 2011 05:55:21 UTC