[chromium-dev] Re: What is the best way to get document location from an NPAPI plugin?

Tue, 09 Jun 2009 01:30:50 -0700 

My question to you is what you see Flash doing.  I pasted below what I
observed by looking at their NPN calls.

On Tue, Jun 9, 2009 at 5:23 PM, Adam Barth <aba...@chromium.org> wrote:

> Here's a demo of an attack that works in Chrome:
>
> http://webblaze.org/abarth/tests/document-location/
>
> Flash does something similar, but not *precisely* what Vijay proposed.
>  This approach is extremely fragile.  If you require this value to
> make a security decision, I recommend a different approach (as I have
> now stated multiple times).
>
> Adam
>
>
> On Tue, Jun 9, 2009 at 1:16 AM, John Abd-El-Malek<j...@chromium.org> wrote:
> > I was referring to what I sniffed in IPC traffic:
> > NPN_GetProperty is called on "location"
> > and the returned object is NPN_Invoke'd to call "toString"
> > Isn't this what you mean?  If you observed something else, we should
> figure
> > out what the discrepancy is!
> > On Tue, Jun 9, 2009 at 3:36 PM, Adam Barth <aba...@chromium.org> wrote:
> >>
> >> Flash does something similar, but not *precisely* the same.  I stand
> >> by my statement that the below is insecure.
> >>
> >> Adam
> >>
> >>
> >> On Mon, Jun 8, 2009 at 8:08 PM, John Abd-El-Malek<j...@chromium.org>
> wrote:
> >> > BTW this is how Flash does it.
> >> >
> >> > On Mon, Jun 8, 2009 at 7:47 PM, Adam Barth <aba...@chromium.org>
> wrote:
> >> >>
> >> >> On Mon, Jun 8, 2009 at 1:29 PM, vijay<tec...@gmail.com> wrote:
> >> >> > We used to use NPN_GetURL with "javascript:document.location" as
> the
> >> >> > URL. In the current implementation, after this script is executed
> in
> >> >> > WebPluginImpl::ExecuteScript (in
> src/webkit/glue/webplugin_impl.cc),
> >> >> > its checking the result value:
> >> >>
> >> >> This is not a secure way to determine which page embedded the
> plug-in.
> >> >>  If you require this value to make a security decision, you should
> use
> >> >> a different approach.
> >> >>
> >> >> Adam
> >> >>
> >> >> > >> >>
> >> >
> >> >
> >
> >
>

--~--~---------~--~----~------------~-------~--~----~
Chromium Developers mailing list: chromium-dev@googlegroups.com 
View archives, change email options, or unsubscribe: 
    http://groups.google.com/group/chromium-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to