W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] Cross-origin JavaScript capability leak in showModalDialog

From: Adam Barth <whatwg@adambarth.com>
Date: Thu, 11 Jun 2009 18:26:40 -0700
Message-ID: <7789133a0906111826jf690b7ei66f010d395edb830@mail.gmail.com>
On Thu, Jun 11, 2009 at 6:21 PM, Ian Hickson<ian at hixie.ch> wrote:
> On Thu, 28 May 2009, Adam Barth wrote:
>> In Step 12 of
>> http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog,
>> the auxiliary browsing context's return value is transfered from the
>> auxiliary browsing context to whichever script called showModalDialog
>> without regard for the origin of these two browsing contexts. ?In most
>> situations, this will let the auxiliary browsing context XSS the caller
>> of showModalDialog. ?Instead, we should perform the same origin checks
>> and subsequent transformations that we perform on the dialog arguments
>> in step 7.
> The return value is always just a string; why is this a problem? Surely
> it's more or less equivalent to handling a string passed from a foreign
> postMessage() call or some such.

Strings are fine.  I misread the spec.  I thought it was grabbing the
returnValue JS value, not the DOM value.  This is just an
implementation bug then.  :)

> Note that returnValue can also be used as a cross-origin communication
> mechanism here; if this is a problem, do you want to track the origin of
> the setter and treat it as "" if the origin differs?

No, I don't think that's necessary.

Received on Thursday, 11 June 2009 18:26:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:13 UTC