[Webkit-unassigned] [Bug 38340] forbid sandboxed frames to call top.close() when allow-same-origin is not setted

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 5 13:55:01 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=38340





--- Comment #2 from eduardo <evn at google.com>  2010-05-05 13:55:01 PST ---
allow-top-navigation is also not setted, that goes against the spec I think:

> The close() method on Window objects should, if the corresponding browsing 
> context A is an auxiliary browsing context that was created by a script (as
> opposed to by an action of the user), and if the browsing context of the script
> that invokes the method is allowed to navigate the browsing context A, close
> the browsing context A (and may discard it too).

http://0x.lv/xss.php?js_xss=";open('xss.php?100%26frame_sandbox=allow-scripts%26frame_xss=?js_xss=\x22;top.close()//');//

note that it only works when the window was opened by another window hmm..

Greetings!!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list