wiki icon indicating copy to clipboard operation
wiki copied to clipboard

Published 20 hours ago verified publisher icon xsleaks

ID Attribute framing protection bypass link

Open 003random opened this issue 2 years ago • 3 comments

Hi! I was reading some more about some fun attacks (having much fun reading all of it) and I noticed that https://xsleaks.dev/docs/attacks/id-attribute/ states that framing protections won't defend against the ID attribute XS-Leak.

https://xsleaks.dev/docs/attacks/experiments/portals/ explains more about this, but Im missing a link between these 2 pages. As a reader, it would be very nice to learn about this bypass right after reading in the first link that XFO wont protect against this type of leak.

003random avatar Sep 13 '22 22:09 003random

Looks like COOP and XFO have been switched

terjanq avatar Sep 14 '22 07:09 terjanq

Yeah COOP would only be a defense if scrolling was detectable on a cross-origin window. Bypassing XFO to leak information using portals would be a security regression so hopefully they don't continue that :/

NDevTK avatar Sep 14 '22 11:09 NDevTK

@003random PR #141 was merged does this fix the issue?

NDevTK avatar Nov 06 '22 18:11 NDevTK