InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

ssl written iframes are affected by about:blank permissions

https://forums.informaction.com/viewtopic.php?t=5653

Page 1 of 1

ssl written iframes are affected by about:blank permissions

Posted: Fri Jan 07, 2011 5:27 am
by al_9x
A written iframe takes on the URL of the parent and should be allowed if the parent is allowed, and should not be affected by about:blank permissions.

NS 2.0.9.4rc1, Fx 3.6.13, new profile, remove (msn.com, about:blank) from the whitelist.
  1. login to https hotmail: https://mail.live.com/
  2. once you get to the inbox, you'll see that the two ad iframes (1 - lower left, 2 - right column) are untrusted. They both have the url of their parent (InboxLight.aspx), which is trusted.
  3. add about:blank back to the whitelist and refresh, the iframes now appear to be trusted

Re: ssl written iframes are affected by about:blank permissi

Posted: Fri Jan 07, 2011 8:01 am
by Giorgio Maone
Investigating, thanks.

Re: ssl written iframes are affected by about:blank permissi

Posted: Sun Jan 23, 2011 1:49 pm
by al_9x
Another example of this is on the Amazon homepage. The dynamically added (via DOM it seems) iframe should be allowed, since amazon.com is, but isn't Image when about:blank is not whitelisted.

This started in 2.0.9.2. Can you repro?

Re: ssl written iframes are affected by about:blank permissi

Posted: Fri Mar 04, 2011 8:23 pm
by al_9x
fixed in a latter build
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited