W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Cross-origin JavaScript capability leak in showModalDialog

From: Adam Barth <whatwg@adambarth.com>
Date: Thu, 28 May 2009 11:38:17 -0700
Message-ID: <7789133a0905281138u16b3a7e3g2d1491901b846571@mail.gmail.com>
In Step 12 of http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog,
the auxiliary browsing context's return value is transfered from the
auxiliary browsing context to whichever script called showModalDialog
without regard for the origin of these two browsing contexts.  In most
situations, this will let the auxiliary browsing context XSS the
caller of showModalDialog.  Instead, we should perform the same origin
checks and subsequent transformations that we perform on the dialog
arguments in step 7.

Received on Thursday, 28 May 2009 11:38:17 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:12 UTC