This issue was addressed by ensuring that iframes are only loaded from the same origin as the page itself. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page. This issue was addressed by restricting iframe injection to the same origin as the parent page. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page. This issue was addressed by restricting iframe injection to the same origin as the parent page. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross
Summary
This issue was addressed by ensuring that iframes are only loaded from the same origin as the page itself. In addition, Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page
Google Chrome span style="color: #008060;"
Google Chrome prior to 101.0.4951.41 incorrectly handled WebGL content, allowing cross-origin iframe manipulation. This issue was addressed by enforcing stricter site origins for WebGL. A remote attacker could leverage this for cross-site content injection. This issue was addressed with an update to Chrome 101.0. There was also an issue with iframe implementation in Google Chrome prior to 101.0.4951.41, which allowed a remote attacker to inject cross-site content into another domain via a crafted HTML page and then inject the parent's window event handler on their own domain to execute arbitrary JavaScript code on their behalf in the context of the parent domain's origin and without any user interaction whatsoever from within that domain or any other domain on the internet from which they can access that page through an iframe.
Timeline
Published on: 07/26/2022 22:15:00 UTC
Last modified on: 08/15/2022 11:16:00 UTC