Re: Cross domain resource

On Oct 26, 2012, at 11:06 PM, Boris Zbarsky <bzbarsky@MIT.EDU> wrote:

> On 10/26/12 4:20 PM, Dirk Schulze wrote:
>> After more investigation, cross domain references of resources can indeed be a problem for XSS. For instance this seems not to be disallowed by the spec (Note: A script is running on the mask element when loaded):
>> 
>> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
>> <mask id="mask" onload="console.log('CORS? Of course!')"/>
>> </svg>
> 
> For what it's worth, Gecko does not run scripts in resource documents, 
> period, even same-origin ones.
This seems confusing and should be unified. What about this (simplified):

<mask>
	<rect>
		<animate attributeName="width" onend="fire();"/>
	</rect>
</mask>

This would fire if the snippet is in the same document, but wouldn't if it is in an external one? (Opera might do the same on same origin, didn't check.)

> 
>> Adam Barth notes that cross referencing could be used to query the fragments on the external resource. Together with JavaScript you could try to search for certain ID's in the external document.
> 
> Well, you can also extract geometry data from the external document, right?

With different origin? Maybe I am wrong, but I thought this would not be so easy.

Dirk

> 
> -Boris
> 

Received on Friday, 26 October 2012 23:33:34 UTC