On Wed, Jun 10, 2009 at 12:30 AM, Adam Barth <aba...@chromium.org> wrote:
> I'm hesitant to say because I don't want Vijay to treat this as advice > on the "right" way to determine which page included his plug-in. The > approach of trying to read the document's location via JavaScript is > fundamentally insecure. I think if we tell someone not to do something because it's insecure, we need to at least tell them about the most secure way we know about, even if it's not perfect. IMO unless Vijay's plugin's is on a large number of machines, it won't be a an attractive target for attackers. > > > That being said, my understanding is that Flash examines the location > property of the window object and not the document object. Note that > simply making this change to the below is *not* sufficient for > security. Ok, this matches what I observed and wrote below.. > > > Adam > > > On Tue, Jun 9, 2009 at 1:30 AM, John Abd-El-Malek<j...@chromium.org> wrote: > > My question to you is what you see Flash doing. I pasted below what I > > observed by looking at their NPN calls. > > > > On Tue, Jun 9, 2009 at 5:23 PM, Adam Barth <aba...@chromium.org> wrote: > >> > >> Here's a demo of an attack that works in Chrome: > >> > >> http://webblaze.org/abarth/tests/document-location/ > >> > >> Flash does something similar, but not *precisely* what Vijay proposed. > >> This approach is extremely fragile. If you require this value to > >> make a security decision, I recommend a different approach (as I have > >> now stated multiple times). > >> > >> Adam > >> > >> > >> On Tue, Jun 9, 2009 at 1:16 AM, John Abd-El-Malek<j...@chromium.org> > wrote: > >> > I was referring to what I sniffed in IPC traffic: > >> > NPN_GetProperty is called on "location" > >> > and the returned object is NPN_Invoke'd to call "toString" > >> > Isn't this what you mean? If you observed something else, we should > >> > figure > >> > out what the discrepancy is! > >> > On Tue, Jun 9, 2009 at 3:36 PM, Adam Barth <aba...@chromium.org> > wrote: > >> >> > >> >> Flash does something similar, but not *precisely* the same. I stand > >> >> by my statement that the below is insecure. > >> >> > >> >> Adam > >> >> > >> >> > >> >> On Mon, Jun 8, 2009 at 8:08 PM, John Abd-El-Malek<j...@chromium.org> > >> >> wrote: > >> >> > BTW this is how Flash does it. > >> >> > > >> >> > On Mon, Jun 8, 2009 at 7:47 PM, Adam Barth <aba...@chromium.org> > >> >> > wrote: > >> >> >> > >> >> >> On Mon, Jun 8, 2009 at 1:29 PM, vijay<tec...@gmail.com> wrote: > >> >> >> > We used to use NPN_GetURL with "javascript:document.location" as > >> >> >> > the > >> >> >> > URL. In the current implementation, after this script is > executed > >> >> >> > in > >> >> >> > WebPluginImpl::ExecuteScript (in > >> >> >> > src/webkit/glue/webplugin_impl.cc), > >> >> >> > its checking the result value: > >> >> >> > >> >> >> This is not a secure way to determine which page embedded the > >> >> >> plug-in. > >> >> >> If you require this value to make a security decision, you should > >> >> >> use > >> >> >> a different approach. > >> >> >> > >> >> >> Adam > >> >> >> > >> >> >> > >> >> >> > >> >> > > >> >> > > >> > > >> > > > > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
