Just tested. Seems to work in Chrome content scripts but not Firefox. Code at https://fromwhenceitca.me/ExternalInterface/ …
-
-
Replying to @Allan_Wirth @taviso
ExternalInterface.addCallback allows arbitrary return objects. Unfortunately form trick only allows one array/item access from the global :(
1 reply 0 retweets 1 like -
Replying to @Allan_Wirth @taviso
Also looks like, if you http://ExternalInterface.call in a callback called from content script, you're NOT in the isolated world.
1 reply 0 retweets 1 like -
Replying to @Allan_Wirth
You've lost me, and your files all 403. how do you make a content script use http://ExtenalInterface.call without XSS? (i.e. already won)
1 reply 0 retweets 0 likes -
Replying to @taviso
Oops, perms fixed. The stack going from content script world to other isn't a security issue, more just unexpected and strange.
1 reply 0 retweets 0 likes -
Replying to @Allan_Wirth @taviso
The addCallback working on HTMLObjectElement from isolated world in Chrome though probably is useful for exploiting some bugs like the

2 replies 0 retweets 1 like -
Replying to @Allan_Wirth
Ahh, I see, that is interesting. I didn't believe it would work across worlds, you're right, it does. That's...worrying /cc @0x6D6172696F
1 reply 1 retweet 2 likes -
Replying to @taviso @Allan_Wirth
That is going to make something exploitable for sure. Thanks for making the demo!
1 reply 0 retweets 2 likes -
Replying to @taviso @Allan_Wirth
Maybe this is even a bug?
//cc @arturjanc@mikewest@nasko @zetafuncti0n2 replies 0 retweets 1 like -
Replying to @taviso @arturjanc and
Why is this a bug? Shouldn't content scripts be able to access these methods just like any other method on DOM nodes?
1 reply 0 retweets 0 likes
Each world is supposed to have it's own version of the object, I think this breaks that promise.
-
-
Replying to @taviso @arturjanc and
Huh, okay. Is there a spec for isolated worlds? I can't find it. I was surprised it didn't work with Xray but did with isolated worlds.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
This Tweet is unavailable.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.