- From: Ory Segal <orysegal@gmail.com>
- Date: Mon, 18 Aug 2008 09:29:06 +0300
- To: "Boris Zbarsky" <bzbarsky@mit.edu>
- Cc: public-html@w3.org
Received on Monday, 18 August 2008 06:31:14 UTC
Hi, As my previous email mentioned, the child cannot set/get any objects on the parent, but it can still query for their existence, which means that: if ( parent.someObject ) will still return TRUE/FALSE. This is what enables the attack I have mentioned in my original blog post, and that is the root cause of the problem. -Ory On Mon, Aug 18, 2008 at 4:51 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > Ory Segal wrote: > >> ( Note - assuming that the child and the parent documents originate from >> the same domain >> > ... > >> Functionally speaking, the problem is not so severe, but there are >> security implications to this ambiguity - a malicious parent document (not >> from the same domain) >> > > I'm not sure how to reconcile those two things. If the parent is not from > the same domain, the child can't access things in it, and there is no > problem, no? > > -Boris >
Received on Monday, 18 August 2008 06:31:14 UTC