开发者

How does Google Wave & iGoogle prevent XSS by a widget?

If you've used Google Wave or iGoogle you have probably seen that you can insert widgets that are made by third parties without approval. My question is: How does prevent the widge from performing XSS or steak co开发者_如何学运维okies? Are the widgets loaded in an <iframe>? If yes, then what prevents them from redirecting you to another page?

Thanks


Yes, they use iframes to host the untrusted content. They cannot steal cookies because this content is hosted on a different domain (gmodules.com), and the browser prevents cross-domain interaction.

Regarding redirection, a module hosted in an iframe CAN change the window.location (but surprisingly, cannot read it). So, it is possible for malicious code in a user-uploaded module to take you to a spoofed google login page in an attempt to steal your password.


I assume it is because those widgets would be banned if they did so.

The HTML5 group is working on a real(technical, rather than legal) solution to this problem using the "sandbox" attribute in iframes.


They can redirect you to another page, as far as i know.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜