Hi Marcin, On Nov 19, 2009, at 09:44 , Marcin Hanclik wrote: > Great thanks for the descriptive example!
A pleasure :) > The security issue in your example results from the eval that is contained in > the html within a widget. So we could assume that if the widget is signed we > could somehow rely on its content. Then the evil eval would maybe not be used > (at least not in the context you quote). Perhaps, but the example I used was very straightforward and easy to review — it would be possible for the original HTML to be a trojan with a less obvious attack path. For instance consider a createElement(name, parent, content) method; you could obtain "script" and "alert('I am evil!')" using the same trick, and call createElement("script", document.body, "alert('I am evil!')") — it would work just the same as eval(). > However, since some images can also be executed, the distinction is de-facto > void. Right, it's one of those things that people would've done differently if we'd had a chance to think about the consequences while the web was being organically grown, but that's water under the bridge now. -- Robin Berjon - http://berjon.com/