On Thu, 7 Feb 2008, Hallvord R M Steen wrote:
>
> Adam Barth and Collin Jackson pointed out to me that while investigating
> frame navigation policies they found that a recipient of a postMessage
> in Opera can set event.source.location, thus navigate the sender
> window/document. I think this i
I'm a bit late to this party due to turning off list email because I didn't
think I could handle it in addition to all the other email I receive. I just
reenabled it to not miss anything; we'll see how this actually goes this time
around. :-\
Adam Barth wrote:
On Feb 7, 2008 4:32 AM, Hallv
On Feb 7, 2008 4:32 AM, Hallvord R M Steen <[EMAIL PROTECTED]> wrote:
> One case I'm still
> somewhat concerned about is that one is allowed to set the location of
> any top-level window according to the ancestor policy,
Yes. I think there is a lot of room for improvement in this part of
the navi
On Feb 7, 2008 10:59 AM, Hallvord R M Steen wrote:
>
> Have a look at section 4.7.4.1. Security which reads:
>
> User agents must raise a security exception whenever any of the
> members of a Location object are accessed by scripts whose origin is
> not the same as the Location object's associated
> > > Opera assumes that if a script
> > > has a JavaScript pointer to a frame then that script is permitted to
> > > navigate that frame.
> >
> > This is actually per the spec and required for web compatibility
> Here is a test case:
>
> http://crypto.stanford.edu/~abarth/research/html5/sibling/
On Feb 7, 2008, at 2:27 AM, Hallvord R M Steen wrote:
The source attribute of the message event does not leak any
privileges
to the recipient in Internet Explorer, Firefox, and Safari because
these browsers do not make this assumption and instead check whether
the script is permitted to nav
On Feb 7, 2008 2:27 AM, Hallvord R M Steen <[EMAIL PROTECTED]> wrote:
> > Opera assumes that if a script
> > has a JavaScript pointer to a frame then that script is permitted to
> > navigate that frame.
>
> This is actually per the spec and required for web compatibility: any
> script that has a po
> > Adam Barth and Collin Jackson pointed out to me that while
> > investigating frame navigation policies they found that a recipient of
> > a postMessage in Opera can set event.source.location, thus navigate
> > the sender window/document. I think this is a bug in the API itself.
>
> When one fra
On 07/02/2008, Hallvord R M Steen <[EMAIL PROTECTED]> wrote:
> That is of course a possibility. I don't have Firefox 3 handy so I'd
> appreciate somebody explaining how it is implemented there.
By the way, I recommend Minefield (the Firefox 3 nightlies) to anyone.
I now use it as my default brow
Hallvord,
On Feb 7, 2008 1:24 AM, Hallvord R M Steen <[EMAIL PROTECTED]> wrote:
> Adam Barth and Collin Jackson pointed out to me that while
> investigating frame navigation policies they found that a recipient of
> a postMessage in Opera can set event.source.location, thus navigate
> the sender w
On 07/02/2008, Thomas Broyer <[EMAIL PROTECTED]> wrote:
> On Feb 7, 2008 10:24 AM, Hallvord R M Steen wrote:
> > Adam Barth and Collin Jackson pointed out to me that while
> > investigating frame navigation policies they found that a recipient of
> > a postMessage in Opera can set event.source.loca
On Feb 7, 2008 10:24 AM, Hallvord R M Steen wrote:
> Adam Barth and Collin Jackson pointed out to me that while
> investigating frame navigation policies they found that a recipient of
> a postMessage in Opera can set event.source.location, thus navigate
> the sender window/document. I think this i
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.
This seems to violate the API's
13 matches
Mail list logo