[Webkit-unassigned] [Bug 38340] forbid sandboxed frames to call top.close() when allow-same-origin is not setted
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 5 13:55:01 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=38340
--- Comment #2 from eduardo <evn at google.com> 2010-05-05 13:55:01 PST ---
allow-top-navigation is also not setted, that goes against the spec I think:
> The close() method on Window objects should, if the corresponding browsing
> context A is an auxiliary browsing context that was created by a script (as
> opposed to by an action of the user), and if the browsing context of the script
> that invokes the method is allowed to navigate the browsing context A, close
> the browsing context A (and may discard it too).
http://0x.lv/xss.php?js_xss=";open('xss.php?100%26frame_sandbox=allow-scripts%26frame_xss=?js_xss=\x22;top.close()//');//
note that it only works when the window was opened by another window hmm..
Greetings!!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list