W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2011

[Bug 12469] Dynamic Cross-Site Scripting and Page Repainting

From: <bugzilla@jessica.w3.org>
Date: Tue, 12 Apr 2011 10:28:39 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Q9apr-0001M1-S6@jessica.w3.org>

--- Comment #9 from Henri Sivonen <hsivonen@iki.fi> 2011-04-12 10:28:39 UTC ---
(In reply to comment #4)
> Firstly, the external site referenced to in the iFrame does not need to be a
> .js file, it can be any webpage format (html, xml, php etc...) providing a
> message listener is implemented. 

This isn't particularly interesting considering that your scenario requires an
inline script to be injected first. If all the attack code were packed into
that script, the attack would work without any external files at all.

> Secondly, this exploit conforms to the DOM same-origin policy because the
> external script/page is not included directly in the website (itís in the
> iFrame), cross-site messaging is allowed and the injected code appears to be
> the normal construct of the page. In the case of a stored/persistent XSS attack
> this would make it invisible to browser-based XSS detection, such as those
> employed by IE and Safari.

Your scenario involves injecting a <script>, which is something XSS detectors
look for.

> Thirdly, the external page (within the iFrame) has full control of the
> compromised site because the injected code acts as its slave. Cross-domain
> control of an iFrames parent window in JavaScript was previously impossible.

The bootstrap <script> your scenario requires injecting already has full

So the actual compromise happens when the bootstrap script gets injected. That
the bootstrap script could use cross-document messaging isn't particularly

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 12 April 2011 10:28:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:46 UTC