- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Sun, 23 Nov 2008 18:13:41 +0100
- To: "Anne van Kesteren" <annevk@opera.com>, public-webapps@w3.org
On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren <annevk@opera.com> wrote: >> var xhrConstructor = iframe.contentWindow.XMLHttpRequest; >> iframe.src='http://attackee.example.com/'; >> . >> . >> var xhr = new xhrConstructor(); >> >> When the constructor is invoked here, the associated document of its >> associated window object is not safe to do same-origin comparisons >> against. I've tested this in the main 4 engines, and they all protect >> against this exploit but as far as I can see someone implementing the >> spec as it's written would end up vulnerable. > > Why would the SECURITY_ERR exception not be thrown during the open() > method invocation as the specification requires? Because when you call "new xhrConstructor()" the document pointer is initialized *but at that point the document of the associated window originates from attackee.example.com*. If the script goes on to request content from this domain, the same-origin comparison against the document pointer would pass when it should in fact fail because the script itself is from a different origin. -- Hallvord R. M. Steen Core JavaScript tester, Opera Software http://www.opera.com/ Opera - simply the best Internet experience
Received on Sunday, 23 November 2008 17:14:16 UTC