Summary: | Gadget embed blocked by XSSAuditor due to URL in content | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Moses Gunesch <mosesoak> | ||||||
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED DUPLICATE | ||||||||
Severity: | Normal | CC: | abarth, bfulgham, dbates | ||||||
Priority: | P2 | Keywords: | XSSAuditor | ||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
URL: | http://sites.google.com/a/1stnepean.ca/scout-troop/photos/2009-year-in-review | ||||||||
Attachments: |
|
Description
Moses Gunesch
2010-03-05 11:57:01 PST
Created attachment 50164 [details]
Web archive of page
For preservation of page.
Created attachment 50165 [details] HTML source for page For preservation and convenience, just the HTML source for the page. For completeness, the error message is: Refused to load an object. URL found within request: "http://static.animoto.com/swf/w.swf?w=swf/vp1&e=1267732564&f=kbTH10UL1werpQ1xttXQow&d=206&m=a&r=w+s&i=m&ct=1st%20Nepean%20Scouts&cu=http://sites.google.com/site/1stnepeanscouts/parents&options=autostart/start_hq". From briefly looking at the HTML source, this is an XSS attack since the page <http://jujo00obo2o234ungd3t8qjfcjrs3o6k-a-sites-opensocial.googleusercontent.com/gadgets/ifr> calls document.innerHTML with the contents of the anchor #up_embed_snippet. Moreover, among the <object>/<embed> parameters passed is allowscriptaccess="always", which would allow the flash content to execute arbitrary JavaScript scripts. In this case, such scripts would execute with respect to the domain for the iframe, http://jujo00obo2o234ungd3t8qjfcjrs3o6k-a-sites-opensocial.googleusercontent.com. I am not too familiar with Google Gadgets or its workings. Adam may have more insight into this. (In reply to comment #3) > calls document.innerHTML with the contents of the anchor #up_embed_snippet. I meant to say that it sets the innerHTML of the element whose id is "dest" to the contents of the anchor #up_embed_snippet. I think googleusercontent.com is meant to be a "throw away" domain that hosts untrusted content. From your description it sounds like the gadget itself has an XSS vulnerability. The gadget author should probably either fix their security vulnerability or opt out of XSS protection by sending the X-XSS-Protection: 0 header. (Note that this control header is still under review at <https://bugs.webkit.org/show_bug.cgi?id=34436>.) This should be resolved by Bug 230499. *** This bug has been marked as a duplicate of bug 230499 *** |