- From: Adam Barth <whatwg@adambarth.com>
- Date: Thu, 11 Jun 2009 18:26:40 -0700
On Thu, Jun 11, 2009 at 6:21 PM, Ian Hickson<ian at hixie.ch> wrote: > On Thu, 28 May 2009, Adam Barth wrote: >> >> In Step 12 of >> http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog, >> the auxiliary browsing context's return value is transfered from the >> auxiliary browsing context to whichever script called showModalDialog >> without regard for the origin of these two browsing contexts. ?In most >> situations, this will let the auxiliary browsing context XSS the caller >> of showModalDialog. ?Instead, we should perform the same origin checks >> and subsequent transformations that we perform on the dialog arguments >> in step 7. > > The return value is always just a string; why is this a problem? Surely > it's more or less equivalent to handling a string passed from a foreign > postMessage() call or some such. Strings are fine. I misread the spec. I thought it was grabbing the returnValue JS value, not the DOM value. This is just an implementation bug then. :) > Note that returnValue can also be used as a cross-origin communication > mechanism here; if this is a problem, do you want to track the origin of > the setter and treat it as "" if the origin differs? No, I don't think that's necessary. Thanks, Adam
Received on Thursday, 11 June 2009 18:26:40 UTC