Re: text/sandboxed-html

On Jun 4, 2010, at 10:00 AM, Adam Barth wrote:

> On Thu, Jun 3, 2010 at 2:55 PM, Artur Adib <arturadib@gmail.com> wrote:
>> On Thu, Jun 3, 2010 at 5:37 PM, Robert O'Callahan <robert@ocallahan.org> wrote:
>>> Could an attacker use a custom Flash object to force top-level navigation?
>> 
>> Good question.
>> 
>> Adam- Do you happen to know if that's possible in WebKit?  I mean, I
>> don't even know if Flash has access to 'top.location', but if it does,
>> will @sandbox protect it?
> 
> You can run an experiment and see, but, in general, there's no way for
> the browser to contain what plug-ins are able to do.  If navigating
> the top frame doesn't work today, that's an accident of implementation
> and not a security property, which means you can probably find some
> tricky way of asking Flash to navigate the top frame that works.

I'm almost certain it can be done. The plugin API has a specific way to request navigation of a chosen frame that does not go through JavaScript. I believe Flash exposes it to ActionScript. I suspect no one bothers to use it for framebusting currently since JavaScript is easier, but it would surely become more popular if <iframe sandbox> becomes popular for framebusting.

Regards,
Maciej

Received on Thursday, 10 June 2010 19:08:34 UTC