So I happened upon this demonstration of some sort of cross-domain scripting that I've never seen before:
https://mathiasbynens.github.io/rel-noopener (benign POC page)
Now, the malicious potential doesn't seem that high, for now, but maybe it's worth warning NoScript users when this trick is used in suspicious circumstances. Such as a page from another domain manipulating the original page.
What are you guys' thoughts on this?
Apologies if this is old news to you, by the way.
Peculiar type of cross-domain scripting
Peculiar type of cross-domain scripting
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: Peculiar type of cross-domain scripting
Cross-origin example doesn't load for me:
Anyway... NoScript does have background tab refresh protections, which should protect against this, right? So does this "attack" still work with NS enabled if it hijacks the original tab actually to a different page, instead of just a different hash on the same page?
And it's not letting me use plain http.Secure Connection Failed
An error occurred during a connection to mathiasbynens.be.
Peer using unsupported version of security protocol.
Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>
Anyway... NoScript does have background tab refresh protections, which should protect against this, right? So does this "attack" still work with NS enabled if it hijacks the original tab actually to a different page, instead of just a different hash on the same page?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Peculiar type of cross-domain scripting
Hmm. I tried it, and...well, I never whitelisted the attacker, so no effect .
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: Peculiar type of cross-domain scripting
Locking in favor of viewtopic.php?f=7&t=22510 .
*Always* check the changelogs BEFORE updating that important software!
-