The code just iterates over all attributes of the <body> element and evaluates values of all these attributes as JavaScript. Because there was no other sources in the challenge, it meant that solving it requires finding a way to inject arbitrary attribute value into the document.body. So how’s that possible? It all started when I noticed an interesting snippet in the HTML specification. The 14th s
![Marginwidth/marginheight - the unexpected cross-origin communication channel - research.securitum.com](https://cdn-ak-scissors.b.st-hatena.com/image/square/776a058d916feff52cfb316e04d28e6580ff3c1e/height=288;version=1;width=512/https%3A%2F%2Fresearch.securitum.com%2Fwp-content%2Fuploads%2Fsites%2F2%2F2020%2F07%2Fimage-1024x809.png)