[thelist] Security of <object>

Bill Moseley moseley at hank.org
Mon Jan 14 15:35:50 CST 2008

I have the need to display an external web page within and existing
XHTML page.

Seems like I have two options.  One is to fetch the web page and then
place its content in a frame (not an iframe).  I'm not keen on that

The other, which I'd prefer, is to just use an <object> tag and have
the client load the file directly.  That avoids the trip from the
remote server through my server back to the client.

My concern is about any script that might be running on the loaded web
page via <object>.  I assume <object> is isolated (e.g. can not read a
cookie from the browser).  But, Google sure does turn up a lot of
issues with Internet Explorer when I do a general search for object
security issues.

We will leak the request information in the Referer header, but that
will be of little value w/o the session id in the cookie.

Also, I assume browses will alert the user if the page is SSL and the
<object> is not, true?


Bill Moseley
moseley at hank.org

More information about the thelist mailing list