Cross-origin access security vulnerability in Chrome iframe

The cross-origin access processing of iframe in Chrome is vulnerable to attacks on websites that use iframe for cross-Origin data transmission. Cross-Origin data can be obtained by malicious websites.
Detailed Description: Chrome browser version used for testing: 18.0
 
Iframe. contentWindow. name can still retain the previous content after page switching in iframe. This method is often used for cross-Origin data acquisition of JS.
 
The normal way to obtain cross-Origin data through iframe. contentWindow. name is:
1. Create an iframe for JS on the page at www.jamcode.org, and src is google.com/test.html
2. The JS in google.com/test.htmlsets window.name= "data content"
3. Then, the js*in google.com/test.htmlmust initiate the location.replaceationto jamcode.org/blank.html.
Iframe. contentWindow. the content of the name will not be lost, and, because the iframe and the host page are already in the same domain after the jump is completed, JS in www.jamcode.org can get the iframe. contentWindow. name to obtain cross-Origin data.
 
 
Chrome security vulnerabilities:
 
A required trust step for retrieving data through iframe. name cross-origin is that pages in iframe must automatically jump to a page in the same domain as the host page. However, in Chrome, you can set iframe through the JS of the host page. src is a page in its own domain, iframe. contentWindow. the name is retained, so that any malicious page can obtain iframe. contentWindow. name.
Steps for exploits:
1. Create an iframe for JS on the page at www.jamcode.org, and src is google.com/test.html
2. The JS in google.com/test.htmlsets window.name= "data content"
3. After www.jamcode.org listens to the iframe. onload event, JS directly sets iframe. src to callback.
Proof of vulnerability: code on the google.com/test.html page:
 
<Script>
Window. name = "uid = xxx; friends = 1,23, 44 ;...";
Location. replace ("plus.google.com/blank.html ");
</Script>
 
Code for www.2cto.com/evil.html:
 
<Script>
Var iframe = document. createElement ("iframe ");
Iframe. onload = function (){
Iframe. src = "/blank.html ";
Alert (iframe. contentWindow. name );
};
Iframe. src = "google.com/test.html ";
</Script>
 
 
Solution:
 
 
The content of window. name must be retained only when the page in iframe is actively transitioned.
Or
After the iframe page changes, the content of iframe. contentWindow. name is no longer retained.
 
Author Jam