On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren <[EMAIL PROTECTED]>
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
associated window object is not safe to do same-origin comparisons
against. I've tested this in the main 4 engines, and they all protect
against this exploit but as far as I can see someone implementing the
spec as it's written would end up vulnerable.
Why would the SECURITY_ERR exception not be thrown during the open()
method invocation as the specification requires?
Because when you call "new xhrConstructor()" the document pointer is
initialized *but at that point the document of the associated window
originates from attackee.example.com*. If the script goes on to request
content from this domain, the same-origin comparison against the document
pointer would pass when it should in fact fail because the script itself
is from a different origin.
--
Hallvord R. M. Steen
Core JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience