@avlidienbrunn Hey ! Can I please know the context? Don't have a clue :)
-
-
@avlidienbrunn So the lesson is never name your IFrames as postMessage / similar DOM properties or Never allow the name to be controlled? -
@avlidienbrunn Or am I missing the whole point? -
@skeptic_fx both I guess. DOM Clobbering has new angles and this one changed something X-domain. Maybe next time it will be exploitable -
@avlidienbrunn Exactly ! I am really wondering what could one do with use cases where the the name is controllable. Very interesting.
End of conversation
New conversation -
-
-
@avlidienbrunn you can invoke parent.postMessage.toString, maybe is there a way to overwrite that function instead of postMessage itself? :\ -
@cgvwzq you can overwrite parent.postMessage.call, but then there's the X-Domain problem :p
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.