[Webkit-unassigned] [Bug 16523] Calling window.open("", "foo") allows arbitrary scripting by any domain
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 21 00:25:17 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=16523
------- Comment #9 from hk9565 at gmail.com 2007-12-21 00:25 PDT -------
There are two more complications I haven't looked at yet. After the attacker
has filled the about:blank window with malicious script and changed the opener
to point to the victim, what if he:
1) Navigates to javascript:'<script>...malicious script...</script>'
or
2) Calls document.write('<script>...malicious script...</script>')
Both these actions require the browser to remember the previous SecurityOrigin.
If they let the attacker recompute, the malicious script will end up in the
victim's origin.
In principle, these should work correctly with the current patch because the
browser already has to remember the document.domain state during these actions,
but I'll believe it after I test it.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list