On 12 Feb 2012 at 11:35, Erlend Oftedal wrote:
If i setup a page having an xss vector in the url, add an iframe to your page printing referer, the url of my page is set as referer to yours. If I now trick someone into visiting my page by using say a shortened url on twitter, I now run script on your page as that user.
Erlend
Sure, when I visit your site, it can run a script in my browser - but not
inside this iframe.
My browser sets the referer for the iframe to the url of your page, and not to
the script you sent it as referer, right?
Frank Heyne
On 12 Feb 2012 at 11:35, Erlend Oftedal wrote:
> If i setup a page having an xss vector in the url, add an iframe to your page printing referer, the url of my page is set as referer to yours. If I now trick someone into visiting my page by using say a shortened url on twitter, I now run script on your page as that user.
>
> Erlend
Sure, when I visit your site, it can run a script in my browser - but not
inside this iframe.
My browser sets the referer for the iframe to the url of your page, and not to
the script you sent it as referer, right?
Frank Heyne
