Re: [XHR] security issue with spec's "same-origin" and the Document pointer from Anne van Kesteren on 2008-11-21 (public-webapps@w3.org from October to December 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 21 Nov 2008 21:14:59 +0100
To: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps@w3.org
Message-ID: <op.ukzju9ly64w2qv@annevk-t60.oslo.opera.com>

On Fri, 21 Nov 2008 17:28:34 +0100, Hallvord R. M. Steen  
<hallvord@opera.com> wrote:
> var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
> iframe.src='http://attackee.example.com/';
> .
> .
> var xhr = new xhrConstructor();
>
> When the constructor is invoked here, the associated document of its  
> associated window object is not safe to do same-origin comparisons  
> against. I've tested this in the main 4 engines, and they all protect  
> against this exploit but as far as I can see someone implementing the  
> spec as it's written would end up vulnerable.

Why would the SECURITY_ERR exception not be thrown during the open()  
method invocation as the specification requires?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 21 November 2008 20:15:48 UTC