Loading ...
Sorry, an error occurred while loading the content.

248Re: [caplet] Re: ADsafe and bind

Expand Messages
  • Kris Zyp
    Sep 8, 2008
      > I looked at the Mozilla array methods, and wrapped the three that I
      > observed leaking the global object. Under what circumstances do slice,
      > forEach, et al, leak?
      If there is an iframe somewhere on the page, they can leak access to it (I was able to reproduce that).
      Kris
       
       
      ----- Original Message -----
      Sent: Monday, September 08, 2008 11:04 AM
      Subject: [caplet] Re: ADsafe and bind

      --- In caplet@yahoogroups. com, "marcel.laverdet" <marcel@...> wrote:
      > Of course the attack assumes that the host uses Prototype and also
      has an iframe on the
      > page, but I imagine such cases aren't hard to find. There's also
      several other ways you can
      > get window without even depending on Prototype:
      > ([].slice || 0)(0)
      > ([].sort || 0)()
      > ([].forEach || 0)(function( a,b,win){ })
      >
      > So now you're in a tough situation. Do you blacklist all of those
      vectors? I see you're
      > currently using mozilla() to handle concat, reverse, and sort but
      that approach won't work
      > consistently on all sites.

      I looked at the Mozilla array methods, and wrapped the three that I
      observed leaking the global object. Under what circumstances do slice,
      forEach, et al, leak?

    • Show all 13 messages in this topic