- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 3 Apr 2012 00:25:43 +0000 (UTC)
On Mon, 2 Apr 2012, Boris Zbarsky wrote: > On 4/2/12 7:39 PM, Ian Hickson wrote: > > > For example, an attacker could open a window on a victim web page. > > > The victim web page then opens an<iframe> on a content URL that > > > triggers RPH. The attacker then navigates the<iframe> so that its > > > window.location contains a different content URL. > > > > How can the attacker navigate that iframe? Surely it would not be > > allowed to navigate it, per the "allowed to navigate" definition in > > HTML. > > As far as I can tell UAs seem to allow walking window.frames for any > window you have a reference to without performing any same-origin > checks, so you can walk your way down the frame hierarchy and then set > location.href, which is allowed cross-origin. I don't see any sort of > "allowed to navigate" check happening on the href set in UAs, but maybe > I'm testing it wrong? Ah, yes, good point, I forgot that the attacker would have a reference to the Window object. Seems like it would be just as easy to just register a protocol handler though. I mean, why would the victim assume it trusts the handler in this scenario? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 2 April 2012 17:25:43 UTC