- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Mon, 24 Nov 2008 12:47:25 +0100
- To: "Anne van Kesteren" <annevk@opera.com>, public-webapps@w3.org
On Sun, 23 Nov 2008 22:32:02 +0100, Anne van Kesteren <annevk@opera.com> wrote: >>>> var xhrConstructor = iframe.contentWindow.XMLHttpRequest; >>>> iframe.src='http://attackee.example.com/'; >>>> . >>>> . >>>> var xhr = new xhrConstructor(); >>>> >>>> When the constructor is invoked here, the associated document of its >>>> associated window object is not safe to do same-origin comparisons >>>> against. I've tested this in the main 4 engines, and they all protect >>>> against this exploit but as far as I can see someone implementing the >>>> spec as it's written would end up vulnerable. >>> Why would the SECURITY_ERR exception not be thrown during the open() >>> method invocation as the specification requires? >> Because when you call "new xhrConstructor()" the document pointer is >> initialized *but at that point the document of the associated window >> originates from attackee.example.com*. > Once you navigate the original Document is either destroyed or stays > around. However, it does not suddenly change into the Document of > another domain. The point is that there *is* no document pointer until you call the constructur - per the spec. And once that script calls the constructor and the document pointer is created, the associated window has a different document in it from a different origin. Hence the document pointer will reference a document from a different origin than the script itself has, and same-origin comparisons will pass when they should fail and vice versa. If you still don't get it please read carefully because I don't know how to explain it clearer than that :-p. Besides, I'm on vacation and will try not to read E-mail ;) -- Hallvord R. M. Steen Core JavaScript tester, Opera Software http://www.opera.com/ Opera - simply the best Internet experience
Received on Monday, 24 November 2008 11:47:59 UTC