[jffry]

This is a fascinating attack. Definitely read the bits on the SVG filter timing attacks. They construct something that allows distinguishing black pixels from white pixels, apply a threshold filter to an iframe, and then read out pixels from the contents of that iframe.

Then they turn this around, set an iframe's src to "view-source:https://example.com/", and read out information from there (in a more efficient manner).

[aidos]

I love the way timing attacks seem so unlikely but actually easy ways to extract information.

Everything about this attack is beautiful. A serious of seemingly unrelated issues that don't appear like a problem from the outside but when combined produce a solid attack that you could roll out today.

Well worth reading through the whole article.

[jffry]

A lot of security issues start at one seemingly innocuous little toehold and then use, abuse, and combine the hell out of it to do surprising and obviously-undesirable things with it. That's what I find so beautiful about this sort of hack.

[homakov]

> set an iframe's src to "view-source:https://example.com/",

is it possible to frame view-source?

[kevingadd]

It used to be possible in Chrome; I'm not sure about Firefox or modern builds of Chrome.

[jffry]

Here's a test, with this markup:

http://jsfiddle.net/GEynT

  <h1>IFrame, normal</h1>
  <iframe src="http://www.example.com/"></iframe>
  <h1>IFrame, view-source</h1>
  <iframe src="view-source:http://www.example.com/"></iframe>

Chrome does not allow it and instead shows a blank frame. Firefox will show the view-source window inside the iframe (which probably /shouldn't/ be allowed). IE10, interestingly, loads that page, and then redirects you to view-source:http://www.example.com immediately.