Re (3): Circumventing CSFR Form Token Defense

[bugtraq () phihag de]

Sorry, this was worded in a very bad way, as my whole reply:

When writing my first message i wanted to express I could not test this with IE: I simply thought IE would not offer 
the possibility to render pages in objects. This is obviously wrong, although there seems to be a bug in IE (try it 
yourself: http://phihag.de/security/ie_iterate_freeze/ ) causing my experiments to fail. Upon rewriting the text too 
late (like now ;) ) "tested with" became  the final, totally senseless version I posted. I just tested it, it seems 
there is entirely no way to even address an object's contents if it is in the same domain (at least when it's embedded 
as the standard says). 

Just a little thought: Is there any possibility to fire up a text-reading ActiveX-Control (IE itself, some XML parsing 
modules?) in an object and read the content from outside?

(BTW: This would be primarily an UXSS but not a CSFR attack, as the whole scenario I described in the first message)