W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] Cross-origin JavaScript capability leak in showModalDialog

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 12 Jun 2009 01:21:36 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0906120117050.1648@hixie.dreamhostps.com>
On Thu, 28 May 2009, Adam Barth wrote:
>
> In Step 12 of 
> http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog, 
> the auxiliary browsing context's return value is transfered from the 
> auxiliary browsing context to whichever script called showModalDialog 
> without regard for the origin of these two browsing contexts.  In most 
> situations, this will let the auxiliary browsing context XSS the caller 
> of showModalDialog.  Instead, we should perform the same origin checks 
> and subsequent transformations that we perform on the dialog arguments 
> in step 7.

The return value is always just a string; why is this a problem? Surely 
it's more or less equivalent to handling a string passed from a foreign 
postMessage() call or some such.

Note that returnValue can also be used as a cross-origin communication 
mechanism here; if this is a problem, do you want to track the origin of 
the setter and treat it as "" if the origin differs?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 11 June 2009 18:21:36 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:13 UTC