If you've used Google Wave or iGoogle you have probably seen that you can insert widgets that are made by third parties without approval. My question is: How does prevent the widge from performing XSS or steak co开发者_如何学运维okies? Are the widgets loaded in an <iframe>? If yes, then what prevents them from redirecting you to another page?
Thanks
Yes, they use iframes to host the untrusted content. They cannot steal cookies because this content is hosted on a different domain (gmodules.com), and the browser prevents cross-domain interaction.
Regarding redirection, a module hosted in an iframe CAN change the window.location (but surprisingly, cannot read it). So, it is possible for malicious code in a user-uploaded module to take you to a spoofed google login page in an attempt to steal your password.
I assume it is because those widgets would be banned if they did so.
The HTML5 group is working on a real(technical, rather than legal) solution to this problem using the "sandbox" attribute in iframes.
They can redirect you to another page, as far as i know.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论