On 16.04.2015 11:04, Jan Odvarko wrote: > On Thu, Apr 16, 2015 at 10:30 AM, Frederik Braun <fbr...@mozilla.com > <mailto:fbr...@mozilla.com>> wrote: > > > Running our code in someone else's origin sounds undesired indeed. Not > only because of CSP: What if someone puts this in a frame (or a popup) > and interacts with this JSON viewer? > > Why iteration with a frame with the viewer could be an issue? >
In a clickjacking-style attack, users could be tricked to dragging & dropping JSON that contains login tokens or other sensitive data. Alternatively, a cut-out & zoomed iframe that just shows the first few characters (e.g. a csrf token) could be used as a "fake captcha". Unknowing users would copy the sensitive data from victim.com in the fake captcha form of evil.com (which frames the JSON viewer) See here for a discussion of a similar attack (against view-source in an iframe): https://bugzilla.mozilla.org/show_bug.cgi?id=624883 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
