- From: <bugzilla@jessica.w3.org>
- Date: Tue, 12 Apr 2011 11:06:23 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12469 --- Comment #10 from Simon <simon.young90@live.com> 2011-04-12 11:06:22 UTC --- Thank you again for your input I do appreciate it. Though I think we may have to agree to disagree as I feel I’m just further reiterating my points. I will say however, previous exploits require the injection of a script via: <script src=“www.externaldomain.com/script.js”> In the case of a stored XSS attack (one that becomes a permanent feature of a website); this would be an obvious indicator of cross site scripting. In my example, script embedding can be a lot more subtle: <iframe id="mommy" src="www.externaldomain.com/randomwebpage.html" style="visibility:hidden; height:0; width:0"></iframe> As a result of this same-origin compliant embedding, it would be harder to detect any cross-site scripting activity. The corresponding injected <script> accompanying the iFrame does not reference anything that could be deemed as suspicious because it also complies with the same-origin policy and being stored does not feature in the URL bar of the browser either (another method of detecting XSS). Many Thanks, Simon -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Tuesday, 12 April 2011 11:06:28 UTC