Clobbering document.x through iframe tags with id=x attribute

[jackfromeast]

Hi,

Thank you for the detailed work on DOM clobbering across different browsers. However, in the section 4.2.2 and table 2 of your Oakland paper, you mention that an iframe with id=x can affect document.x which has been list as your new findings.

"Named Access Window and DOM Tree Accessors. We discovered that any custom HTML tag (e.g., customtag) can be used to clobber a target variable x and window.x in all web browsers. Also, iframe tags with id=x can clobber document.x and named applet elements can clobber both window.x and document.x. In total, we found five new instances across four out of the 14 classes that rely on the Window Named Access and DOM Accessors techniques."

I ran some tests using BrowserStack and found that the iframe id attribute doesn't seem to clobber the DOM Tree Accessors in the a few listed versions of Chrome, Firefox, and Edge (which is contradicted to table 2):

Chrome: Tested from version 86 to 123
Firefox: Tested from version 80 to 124
Edge: Tested from version 80 to 123

Could there have been updates or changes in browser behavior not covered in the paper? I believe the iframe tag with id attribute cannot clobber the lookup on the document in the column listed in table 2. If I'm missing something, could you point me to the specific browser versions where the iframe clobbers document.x as described?

[jackfromeast]

The issue has moved to the DOMClobbering repo.

[SoheilKhodayari]

Issue moved to SoheilKhodayari/DOMClobbering#8