The document of showModelessDialog on MSDN said:
Because a modeless dialog box can include a URL to a resource in a different domain, do not pass information through the vArguments parameter that the user might consider private. The vArguments parameter can be referenced within the modeless dialog box using the dialogArguments property of the window object.
But, again, MS lies. showModelessDialog can't pass arguments to a different domain . If you open a dialog in a diff domain, window.dialogArguments of the dialog will be undefined (even dialogArguments is a literal string).
In fact, because dialogArguments could be an javascript object, there would be a security issue if such transfer is allowed.
To create a return value for showModelessDialog, set the vArguments parameter to a callback function or an object in the showModelessDialog call. In the modeless dialog box, you can reference this function or object through the dialogArguments property of the window object.
Imagine your site has a dialog use such callback method descripted above. But the hacker can easily get the name of the callback function from the source code of the dialog page. If cross domain access is allowed, the hacker could write his own page, provide his evil callback via dialogArguments and open your dialog page. Then he can publish his troy page in somewhere and fish your customers. If the users open his page, the best case would be leaking some info (but maybe password, if it's a login dialog), and in the worst case, the evil code is executed, hacker can do everything, such as transfer the user's money to his account (if it's a bank site).
Thanks to God, the hackers are disappointed because MS lied in their documents :P
BTW, I found some changes from IE6 to IE7. It is summarized in the below table. The similar functionality(window.open with dependent feature) in FF and Opera also tested here.
| same domain | same domain with diff port | diff domain | |
| showModelessDialog (IE6) | Y | N | N |
| showModelessDialog (IE7) | Y | Y | N |
| window.open (Firefox2) | Y | N | N |
| window.open (Opera9) | Y | Y | N |
For showModelessDialog, Y means the script in the dialog window can get dialogArguments.
For window.open, Y means the script in new window can access the variables which the parent window assigned to dialog window object. Code sample:
page1
=====
var newWin = window.open(page2, features);
newWin.abc = {toString:function(){return 'abc'}}
page2
=====
alert(window.abc); // return 'abc'
At last, IE have a timer issue. Code sample:
page1
=====
var newWin = window.showModelessDialog(page2, args, features);
newWin.abc = {toString:function(){return 'abc'}}
page2
=====
alert(window.abc); // return 'abc' when first access, otherwise undefined
window.onload = function () {
alert(window.abc); // return 'abc' when first access, otherwise undefined
setTimeout(function () {
alert(window.abc); // return 'abc'
}, 10);
}
Apparently, this issue is related to the cache issue of the showModelessDialog. If the page is loaded from the cache, all scripts in the page1 will executed before the second line of the page2 unless it is deferred by a timer.
No comments:
Post a Comment