InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Weirdness with iframe srcdocs

https://forums.informaction.com/viewtopic.php?t=18858

Page 1 of 1

Weirdness with iframe srcdocs

Posted: Mon Dec 30, 2013 7:27 pm
by barbaz
SeaMonkey 2.23, NS 2.6.8.9rc5. If I Allow file://, then open a file with this contents:

Code: Select all

<!DOCTYPE html>
<iframe srcdoc="<script type="text/javascript">alert("Cuckoo");</script><div>text</div>"></iframe>
<div id="2">noscript</div>
<script type="text/javascript">document.getElementById("2").innerHTML = "Script";</script>
I get an alert even though about:srcdoc is listed as forbidden in the menu :?:
This is unexpected behavior - it would be better if about:srcdoc is either not shown in the menu (with each srcdoc automatically getting the same permissions as its parent page), or scripts from srcdocs are forbidden until explicitly allowing about:srcdoc. Would it be possible (and reasonable) to make one of those changes?

Re: Weirdness with iframe srcdocs

Posted: Mon Dec 30, 2013 8:56 pm
by Giorgio Maone
barbaz wrote:it would be better if about:srcdoc is either not shown in the menu (with each srcdoc automatically getting the same permissions as its parent page), or scripts from srcdocs are forbidden until explicitly allowing about:srcdoc. Would it be possible (and reasonable) to make one of those changes?
Yes, probably the former (just ignoring about:srcdoc or making it unmodifiable like chrome:) is the most viable and less confusing.

Re: Weirdness with iframe srcdocs

Posted: Mon Dec 30, 2013 9:14 pm
by Giorgio Maone
Please check latest development build 2.6.8.10rc1, thanks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited