W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2009

[whatwg] <object> behavior

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 16 Oct 2009 17:48:30 -0400
Message-ID: <4AD8EA2E.3040003@mit.edu>
On 10/16/09 4:12 PM, Ben Laurie wrote:
> I realise this is only one of dozens of ways that HTML is unfriendly
> to security, but, well, this seems like a bad idea - if the page
> thinks it is embedding, say, some flash, it seems like a pretty bad
> idea to allow the (possibly untrusted) site providing the "flash" to
> run whatever it wants in its place.

This cuts both ways.  If a site allows me to upload images and I upload 
an HTML file with some script in it and tell it it's a GIF (e.g. via the 
name) an then put an <object type="text/html" 
data="http://this.other.site/my.gif"> on my site...  then I just 
injected script into a different domain if we let @type override the 
server-provided header.

This is, imo, a much bigger problem than that of people embedding 
content from an untrusted site and getting content X instead of content 
Y, especially because content X can't actually access the page that 
contains it, right?

-Boris
Received on Friday, 16 October 2009 14:48:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:18 UTC