Peculiar type of cross-domain scripting

Bug reports and enhancement requests
Locked
detuur
Posts: 1
Joined: Fri Apr 01, 2016 10:35 pm

Peculiar type of cross-domain scripting

Post by detuur »

So I happened upon this demonstration of some sort of cross-domain scripting that I've never seen before:
https://mathiasbynens.github.io/rel-noopener (benign POC page)

Now, the malicious potential doesn't seem that high, for now, but maybe it's worth warning NoScript users when this trick is used in suspicious circumstances. Such as a page from another domain manipulating the original page.

What are you guys' thoughts on this?

Apologies if this is old news to you, by the way.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Peculiar type of cross-domain scripting

Post by barbaz »

Cross-origin example doesn't load for me:
Secure Connection Failed

An error occurred during a connection to mathiasbynens.be.

Peer using unsupported version of security protocol.

Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>
And it's not letting me use plain http.

Anyway... NoScript does have background tab refresh protections, which should protect against this, right? So does this "attack" still work with NS enabled if it hijacks the original tab actually to a different page, instead of just a different hash on the same page?
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Peculiar type of cross-domain scripting

Post by Thrawn »

Hmm. I tried it, and...well, I never whitelisted the attacker, so no effect :).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Peculiar type of cross-domain scripting

Post by barbaz »

Locking in favor of viewtopic.php?f=7&t=22510 .
*Always* check the changelogs BEFORE updating that important software!
-
Locked