[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
You can add properties to any object, that's normal behaviour in IE.
It is a Cross-site sripting (XSS) bug if you can write it on a site on
domain A and read it from another site on domain B. Migitating factor for
this is that you can not read anything but the properties you've added. I
don't think any site has anything worth stealing hidden in there ;) But it
would be a cool way to implement a pipe across domains, using this propertie
as a buffer.
----- Original Message -----
From: "Uli Häfele" <uli.haefele@xxxxxxxxxx>
Sent: Thursday, April 01, 2004 18:22
> Navigator Object can be written by just adding a property.
> The following code used within an html page
> navigator.myString = "Hello world";
> adds the property myString to the navigator object.
> The content of the navigator object is existent as long as the current
> Browser window is open.
> I can read the content of the object even from different domains (first
> domain writes the string, second domain reads it)
> Mozilla doesn't allow the navigator object to cross the domain borders.
> I'm not even sure if this is a bug. Is this behaviour correct?
> Access your knowledge