@avlidienbrunn Hey ! Can I please know the context? Don't have a clue :)
@skeptic_fx DOM Clobbering using frames can override pushMessage, making window.parent.postMessage become window.parent.frames.postMessage
-
-
@skeptic_fx See http://jsfiddle.net/PdDZ7/ , and check JS console on Chrome/Blink-Opera -
@avlidienbrunn So the lesson is never name your IFrames as postMessage / similar DOM properties or Never allow the name to be controlled? -
@avlidienbrunn Or am I missing the whole point? -
@skeptic_fx both I guess. DOM Clobbering has new angles and this one changed something X-domain. Maybe next time it will be exploitable -
@avlidienbrunn Exactly ! I am really wondering what could one do with use cases where the the name is controllable. Very interesting.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.