Am 01.10.2008 um 14:20 schrieb Jonathan Rockway:
* On Wed, Oct 01 2008, Moritz Onken wrote:
I imagine a case where the attacker's site opens a iframe to your
site which exploits a XSS issue and can send the hole form
information back to the attacker's site. He has now the HMAC and
the random string.
I was under the impression that you could open an iframe to someone
else's site and manipulate it from javascript running on your own
site,
without relying on any vulnerabilities on that site. Maybe not?
Maybe
flash can do this? (Why do we even have iframes? For serving ads?)
Hi Jonathan,
you cannot access data on a different frame via javascript if it's not
from the same server. This is called the same origin policy and is also
applicable to iframes.
greetings
moritz
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
