Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.
This seems to violate the
On Feb 7, 2008 10:24 AM, Hallvord R M Steen wrote:
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a
Hallvord,
On Feb 7, 2008 1:24 AM, Hallvord R M Steen [EMAIL PROTECTED] wrote:
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender
On 07/02/2008, Hallvord R M Steen [EMAIL PROTECTED] wrote:
That is of course a possibility. I don't have Firefox 3 handy so I'd
appreciate somebody explaining how it is implemented there.
By the way, I recommend Minefield (the Firefox 3 nightlies) to anyone.
I now use it as my default browser
On 07/02/2008, Thomas Broyer [EMAIL PROTECTED] wrote:
On Feb 7, 2008 10:24 AM, Hallvord R M Steen wrote:
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location,
Adam Barth and Collin Jackson pointed out to me that while
investigating frame navigation policies they found that a recipient of
a postMessage in Opera can set event.source.location, thus navigate
the sender window/document. I think this is a bug in the API itself.
When one frame posts
On Feb 7, 2008 2:27 AM, Hallvord R M Steen [EMAIL PROTECTED] wrote:
Opera assumes that if a script
has a JavaScript pointer to a frame then that script is permitted to
navigate that frame.
This is actually per the spec and required for web compatibility: any
script that has a pointer to a
Consider a site that has something like an event calendar (may be
displayed with a table layout or just a simple list). How should one
link to iCalendar information that is meant for subscription or
importing to reader's calendaring software? (This is different from a
single event information for
On Feb 7, 2008, at 2:27 AM, Hallvord R M Steen wrote:
The source attribute of the message event does not leak any
privileges
to the recipient in Internet Explorer, Firefox, and Safari because
these browsers do not make this assumption and instead check whether
the script is permitted to
Opera assumes that if a script
has a JavaScript pointer to a frame then that script is permitted to
navigate that frame.
This is actually per the spec and required for web compatibility
Here is a test case:
http://crypto.stanford.edu/~abarth/research/html5/sibling/
Ah sorry, I see
On Feb 7, 2008 10:59 AM, Hallvord R M Steen wrote:
Have a look at section 4.7.4.1. Security which reads:
User agents must raise a security exception whenever any of the
members of a Location object are accessed by scripts whose origin is
not the same as the Location object's associated
11 matches
Mail list logo
