Re: A perfect DOM sandbox from gaz Heyes on 2011-02-15 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 15 Feb 2011 10:06:09 +0000
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Message-ID: <AANLkTindDmGdaPo2tcrJePEv5=FgTJdooG4TvOdqsMO4@mail.gmail.com>

On 15 February 2011 07:54, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 2/15/11 2:40 AM, sird@rckc.at wrote:
>
>>     if(navigator.userAgent.match(/Firefox/))
>>         ifr.setAttribute("src","/xss.php?csp&plain_text");
>>
>
> What's the point of that?
>

He sets the url to a script which has CSP enabled to provide same origin
restrictions

     try {
>         ifr.contentDocument.documentElement.innerHTML=src;
>

Given that you immediately do this?
>

I think you might be confused with sdc's naming conventions, "src" actually
refers to the source code supplied not the url of the iframe.

Received on Tuesday, 15 February 2011 10:06:42 UTC