- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 15 Feb 2011 10:08:25 -0500
- To: gaz Heyes <gazheyes@gmail.com>
- CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 2/15/11 5:06 AM, gaz Heyes wrote: > On 15 February 2011 07:54, Boris Zbarsky <bzbarsky@mit.edu > <mailto:bzbarsky@mit.edu>> wrote: > > On 2/15/11 2:40 AM, sird@rckc.at <mailto:sird@rckc.at> wrote: > > if(navigator.userAgent.match(/Firefox/)) > ifr.setAttribute("src","/xss.php?csp&plain_text"); > > What's the point of that? > > He sets the url to a script which has CSP enabled to provide same origin > restrictions Yes, but he never lets it load, so those restrictions never take effect. > try { > ifr.contentDocument.documentElement.innerHTML=src; > > Given that you immediately do this? > > I think you might be confused with sdc's naming conventions, "src" > actually refers to the source code supplied not the url of the iframe. No, I'm not confused. He sets the iframe's src to something, then without waiting for that something to load sets the innerHTML of the about:blank document that's in the iframe right now. Which raises the question of why he bothered setting the iframe's src in the first place. Which is the question I asked. -Boris
Received on Tuesday, 15 February 2011 16:45:16 UTC