On Sun, 23 Nov 2008 22:32:02 +0100, Anne van Kesteren [EMAIL PROTECTED]
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
On Mon, 24 Nov 2008, Hallvord R. M. Steen wrote:
The point is that there *is* no document pointer until you call the
constructur - per the spec. And once that script calls the constructor
and the document pointer is created, the associated window has a
different document in it from a
On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren [EMAIL PROTECTED]
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
On Sun, 23 Nov 2008 18:13:41 +0100, Hallvord R. M. Steen
[EMAIL PROTECTED] wrote:
On Fri, 21 Nov 2008 21:14:59 +0100, Anne van Kesteren [EMAIL PROTECTED]
wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new
http://www.w3.org/TR/XMLHttpRequest/#document-pointer says
When the XMLHttpRequest() constructor is invoked a persistent pointer to
the
associated Document object is stored on the newly created object. This
is the
Document pointer. The associated Document object is the one returned by
the
On Fri, 21 Nov 2008 17:28:34 +0100, Hallvord R. M. Steen
[EMAIL PROTECTED] wrote:
var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
iframe.src='http://attackee.example.com/';
.
.
var xhr = new xhrConstructor();
When the constructor is invoked here, the associated document of its
