- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 12 Jun 2009 01:21:36 +0000 (UTC)
On Thu, 28 May 2009, Adam Barth wrote: > > In Step 12 of > http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog, > the auxiliary browsing context's return value is transfered from the > auxiliary browsing context to whichever script called showModalDialog > without regard for the origin of these two browsing contexts. In most > situations, this will let the auxiliary browsing context XSS the caller > of showModalDialog. Instead, we should perform the same origin checks > and subsequent transformations that we perform on the dialog arguments > in step 7. The return value is always just a string; why is this a problem? Surely it's more or less equivalent to handling a string passed from a foreign postMessage() call or some such. Note that returnValue can also be used as a cross-origin communication mechanism here; if this is a problem, do you want to track the origin of the setter and treat it as "" if the origin differs? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 11 June 2009 18:21:36 UTC