internet explorer madness I have a page that loads a third party stylesheet and alert()'s some info from it. For some reason it only works if I open it locally; hosting the page anywhere breaks it. Here's the code: <html> <head> <link rel="stylesheet" href="https://SNIP" type="text/css"> </head> <body> <script> alert(document.body.currentStyle.fontFamily); </script> </body> </html> I've looked at the HTTP requests in burp and they appear to be identical, except that the local one is missing the Referer header since it's cross-protocol. I've tried changing the doctype & turning quirks mode on and off to to avail. Any ideas? http://sla.ckers.org/forum/read.php?2,46068,46068#msg-46068 Wed, 19 Jun 2013 23:51:32 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,46068,47892#msg-47892 Re: internet explorer madness http://sla.ckers.org/forum/read.php?2,46068,47892#msg-47892 Albino XSS Info Mon, 23 Apr 2012 07:24:34 -0500 http://sla.ckers.org/forum/read.php?2,46068,46070#msg-46070 Re: internet explorer madness http://sla.ckers.org/forum/read.php?2,46068,46070#msg-46070
I have uploaded an HTML page with your code, using the stylesheet from my website, on a completely different domain on a different IP address. And I have the same page on my local Apache, using the same stylesheet from the web. The third possibility is to open the file locally.

All three possibilities seem to work with Internet Explorer 9, but I had to confirm something about the intranet configuration when requesting the file from the localhost Apache.

No problem with Internet Explorer 5.5 and 6, but I can't get any of the three possibilities to work with IE 7. These older versions are not running stable on my system and tabs crash frequently.

Apparently it does not work with the current Firefox and an older Version of K-Meleon, but all versions (local as file, local on my Apache and hosted on a domain) work with Opera 11.62.

One difference to your example is that my stylesheet is not requested through https, but ordinary http. So I have changed the test page to use a stylesheet from an https site. But still all three possibilities work in IE9 and the current version of Opera.

I hope that this information helps. :-)]]> infinity XSS Info Wed, 11 Apr 2012 15:48:15 -0500 http://sla.ckers.org/forum/read.php?2,46068,46069#msg-46069 Re: internet explorer madness http://sla.ckers.org/forum/read.php?2,46068,46069#msg-46069
I spun up IIS and atleast using my local IP, I am still able to fire off the alert.]]> Anonymous User XSS Info Wed, 11 Apr 2012 15:09:12 -0500 http://sla.ckers.org/forum/read.php?2,46068,46068#msg-46068 internet explorer madness http://sla.ckers.org/forum/read.php?2,46068,46068#msg-46068
Here's the code:

<html>
<head>
<link rel="stylesheet" href="https://SNIP" type="text/css">
</head>
<body>
<script>
alert(document.body.currentStyle.fontFamily);
</script>
</body>
</html>

I've looked at the HTTP requests in burp and they appear to be identical, except that the local one is missing the Referer header since it's cross-protocol.

I've tried changing the doctype & turning quirks mode on and off to to avail. Any ideas?]]> Albino XSS Info Wed, 11 Apr 2012 14:02:42 -0500