Here's a demo of an attack that works in Chrome: http://webblaze.org/abarth/tests/document-location/
Flash does something similar, but not *precisely* what Vijay proposed. This approach is extremely fragile. If you require this value to make a security decision, I recommend a different approach (as I have now stated multiple times). Adam On Tue, Jun 9, 2009 at 1:16 AM, John Abd-El-Malek<[email protected]> wrote: > I was referring to what I sniffed in IPC traffic: > NPN_GetProperty is called on "location" > and the returned object is NPN_Invoke'd to call "toString" > Isn't this what you mean? If you observed something else, we should figure > out what the discrepancy is! > On Tue, Jun 9, 2009 at 3:36 PM, Adam Barth <[email protected]> wrote: >> >> Flash does something similar, but not *precisely* the same. I stand >> by my statement that the below is insecure. >> >> Adam >> >> >> On Mon, Jun 8, 2009 at 8:08 PM, John Abd-El-Malek<[email protected]> wrote: >> > BTW this is how Flash does it. >> > >> > On Mon, Jun 8, 2009 at 7:47 PM, Adam Barth <[email protected]> wrote: >> >> >> >> On Mon, Jun 8, 2009 at 1:29 PM, vijay<[email protected]> wrote: >> >> > We used to use NPN_GetURL with "javascript:document.location" as the >> >> > URL. In the current implementation, after this script is executed in >> >> > WebPluginImpl::ExecuteScript (in src/webkit/glue/webplugin_impl.cc), >> >> > its checking the result value: >> >> >> >> This is not a secure way to determine which page embedded the plug-in. >> >> If you require this value to make a security decision, you should use >> >> a different approach. >> >> >> >> Adam >> >> >> >> >> >> >> > >> > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
