On Fri, 21 Nov 2008 17:28:34 +0100, Hallvord R. M. Steen
<[EMAIL PROTECTED]> wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
associated window object is not safe to do same-origin comparisons
against. I've tested this in the main 4 engines, and they all protect
against this exploit but as far as I can see someone implementing the
spec as it's written would end up vulnerable.
Why would the SECURITY_ERR exception not be thrown during the open()
method invocation as the specification requires?
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
