- From: Brandon Sterne <bsterne@mozilla.com>
- Date: Fri, 28 Jan 2011 14:58:06 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On 1/28/11 2:33 PM, gaz Heyes wrote: > On 28 January 2011 22:26, Brandon Sterne <bsterne@mozilla.com > <mailto:bsterne@mozilla.com>> wrote: > > If the <iframe> is in a different domain than the target site, how can > it inject script into the target site? > > > <iframe src="//google.com <http://google.com>" > onload="this.contentWindow.location='//microsoft.com > <http://microsoft.com>'"></iframe> > > location is settable across any domain. Okay, now we're getting somewhere. In your example, as soon as the <iframe> navigates the page, that would cause the page to be reloaded, which in our use case, would result in a new script nonce being delivered in the policy. In other words, yes, you can steal the script token using this technique, but if the token is being properly rotated, then the token would be invalid as soon as you reload the page with your new injected payload. Do I have this right? Thanks, Brandon
Received on Friday, 28 January 2011 22:58:39 UTC