W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Tue, 12 Apr 2011 08:35:06 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9Z3y-00027q-9r@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469

--- Comment #6 from Simon <simon.young90@live.com> 2011-04-12 08:35:05 UTC ---
Thanks Henri,

However, with respects I think you have misinterpreted the idea of this
exploit. The recvPayload function is infact part of the injected code. Though I
could validate the origin of messages so that it can only be exploited by my
server I have not done so in the case of this example.
You could add an extra line to validate message by cross-checking it with the
iFrame.

Thanks,

Simon

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 12 April 2011 08:35:08 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:08 UTC