My question to you is what you see Flash doing. I pasted below what I observed by looking at their NPN calls.
On Tue, Jun 9, 2009 at 5:23 PM, Adam Barth <aba...@chromium.org> wrote: > Here's a demo of an attack that works in Chrome: > > http://webblaze.org/abarth/tests/document-location/ > > Flash does something similar, but not *precisely* what Vijay proposed. > This approach is extremely fragile. If you require this value to > make a security decision, I recommend a different approach (as I have > now stated multiple times). > > Adam > > > On Tue, Jun 9, 2009 at 1:16 AM, John Abd-El-Malek<j...@chromium.org> wrote: > > I was referring to what I sniffed in IPC traffic: > > NPN_GetProperty is called on "location" > > and the returned object is NPN_Invoke'd to call "toString" > > Isn't this what you mean? If you observed something else, we should > figure > > out what the discrepancy is! > > On Tue, Jun 9, 2009 at 3:36 PM, Adam Barth <aba...@chromium.org> wrote: > >> > >> Flash does something similar, but not *precisely* the same. I stand > >> by my statement that the below is insecure. > >> > >> Adam > >> > >> > >> On Mon, Jun 8, 2009 at 8:08 PM, John Abd-El-Malek<j...@chromium.org> > wrote: > >> > BTW this is how Flash does it. > >> > > >> > On Mon, Jun 8, 2009 at 7:47 PM, Adam Barth <aba...@chromium.org> > wrote: > >> >> > >> >> On Mon, Jun 8, 2009 at 1:29 PM, vijay<tec...@gmail.com> wrote: > >> >> > We used to use NPN_GetURL with "javascript:document.location" as > the > >> >> > URL. In the current implementation, after this script is executed > in > >> >> > WebPluginImpl::ExecuteScript (in > src/webkit/glue/webplugin_impl.cc), > >> >> > its checking the result value: > >> >> > >> >> This is not a secure way to determine which page embedded the > plug-in. > >> >> If you require this value to make a security decision, you should > use > >> >> a different approach. > >> >> > >> >> Adam > >> >> > >> >> > >> >> > >> > > >> > > > > > > --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---