How do Google Wave and iGoogle prevent XSS with a widget?

Question

How do Google Wave and iGoogle prevent XSS with a widget?

If you used Google Wave or iGoogle, you probably saw that you can embed widgets that are made by third parties without approval. My question is: how to prevent the use of an XSS widget or steak cookies? Are widgets loaded in <iframe> ? If so, what prevents them from redirecting you to another page?

thanks

+4

javascript html xss

Ryan Mar 31 '10 at 20:48

source share

3 answers

They can redirect you to another page, as far as I know.

0

Fogh Mar 31 '10 at 20:58

source share

I guess this is because these widgets will be banned if they do.

The HTML5 team is working on a real (technical, not legal) solution to this problem using the sandbox attribute in the iframe.

0

luiscubal Mar 31 '10 at 21:05

source share

Sripathi krishnan · Accepted Answer · 2010-03-31T21:09:41+0000

Yes, they use iframes to post untrusted content. They cannot steal cookies because this content is hosted on a different domain (gmodules.com) and the browser prevents cross-domain interaction.

As for redirection, the module hosted in the iframe CAN will change window.location (but surprisingly, cannot read it). Thus, malicious code in a user-loaded module can lead you to a fake google login page to steal your password.

How do Google Wave and iGoogle prevent XSS with a widget?

More articles: