Some time ago I’ve read David Wheeler's blogpost about using the OBJECT tag to embed HTML in your HTML :-). One of the things which peaked my interest was the question: what are the security implications of using this method? Specifically I was interested if the same cross-domain / same-policy rules applied to interaction between the parent and child as in the case of IFRAMES.
The response? Partially. The specifics are:
- I tested it with IE8, FF 3 and Opera 9. IE8 doesn’t appear to render the referenced HTML, while the two browsers do (I’m not sure if this is a security feature or a bug :-)).
- Neither of the two browsers (FF or Opera) seems to give access to the child from the parent, regardless if the child is loaded from the same domain or not
- Both browsers allow the child to access the parent (again, regardless if you include it from the same domain or not)
What does this mean for security?
- You can use this in situations where you can’t inject a script directly, but you can control the URL which is included in the object tag, which effectively is equivalent with an XSS attack. The scenario is less likely than having a direct XSS attack, but still feasible
- You can attack the embedded site by providing HTML elements in the parent which scripts in the child are looking for (for example, if you say “document.body” in the child, it will actually mean the body of the parent). Again, to exploit such a situation, you need to have fairly specific circumstances, but it is not impossible.
This again shows (as if it needs showing...) how complex web security is and how many features there are which can interact in various ways, making it hard to foresee all the possible combinations and their particular (security) implication.
Picture taken from Laurel Fan's photostream with permission.