Homakov, I like your posts, audits and the like but I really suggest you ask someone to review them before publishing because for the life of me I cannot comprehend what you are writing most of the time.
It's simple really if you understand what's going on.
iframe code can access `frames[0].document` cross domain. Clicking on the link within Google Translate iframe modifies target page on another domain.
curl http://homakov.github.io/guc.html
If that were true it would be a major security vulnerability. ;-)
The Google Translate content is served up from a subdomain of googleusercontent.com. This is a domain designated by Google for user-supplied content so that it can be rendered without affecting the safety of pages on google.com and elsewhere.
The demonstration here is that one page on googleusercontent.com can affect another page on googleusercontent.com. This is perfectly acceptable via the same origin policy.
I think glebm implies the same: "iframe code can access `frames[0].document` cross domain" means through translate.google.com and "modifies target page on another domain" modifies page with same domain but rendered on another domain
Why does Google add visitor regional information to the domains on blogspot, in this case .com.es for no apparent reason?
It's intensely annoying to crawl political blogs for Australia, UK, New Zealand and US from my server in Germany and then have all the urls with .de when they go into my news site. As a problem the solution is trivial I suppose, but why do they do it in the first place?
Censorship, they already explained. They can do country-specific censorship (like: in China, the govt asks for something offensive there to be removed) but leave it accessible from everywhere else. Also, they can inform people in those countries that they can not access that specific content.
Of course, that means that with a little bit of fiddling (change the domain name end, I think) you can read a censored post if you're in a problematic country. It's quite a good idea, actually.
Also homakov, I had to edit the iframe width/height just to be able to see the link in the first place because google's putting all the login stuff at the top, I'd suggest setting the height to 300px instead of 30px. Are you running something which stops that showing in your browser?
> the request was made in a sandboxed frame whose 'allow-popups' permission is not set
the GUC Page 1 (having a link inside) is not sandboxed and located on homakov.blogspot.com. Since it calls window.open on click chrome must not block opening a popup. I'm pretty sure you have specific/strict settings?
>So the attack doesn't seem to work in Chrome.
It worked for me, for my friends, and for people who +ed the item. Let's figure out what went wrong
Login stuff? When I/my friends run it in incognito there is nothing but that link. There is some weird token in URL, but it seems to be valid for everyone.
Exactly the same for me. I'm using Firefox and I'm not signed in to Google+. Visiting the given URL in another tab works, but I have to click to disable the "Translated in Safe Mode"-feature first.
What is happening? You've loaded something in an iframe, that I can see, but there is a passing reference to XSS and cookie tossing that isn't elaborated upon, which for me would be what I really want explained.
Google opens translated pages under translate.googleusercontent.com. Link is located on GUC Page 1 (now, perhaps, you can see iframe, but it's trivial to add some CSS to make it look more seamless). It opens with window.open this URL: http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht...
Now GUC Page 1 changes content of GUC Page 2 (translated page of kremlin.com). Using some DOM and frame tricks I ranted a bit about in the post.
This is unrelated exception. Looks like problem guys described below (not logged in google). I can't reproduce, but it is not browser bug, just matter of having google account
Wait a second, could you not read my google login session cookie from this page with a seamless iframe to a google domain? Again, like the person above, I didn't really understand what's going on here.
no cookie/XSS or any real vuln here involved. This is completely standard design problem of sandbox domain. Check out http://homakov.github.io/guc.html
Part with yourname is other_origin. I change content of GUC Page 2 using GUC Page 1 through other_origin (translate.google.com). No XSS or cookies. Just standards :D
Although... Does this not require one to click on a link in a framed google translate page before displaying its payload? In other words, it doesn't seem like one could simply submit a URL to HN that, when clicked, displays some inauthentic news headline on your screen with a GUC.com address in the location bar. Is that not correct?