Latest C-CDA for John Smith

<iframe seamless="" style="width: 100%; height: 500px;" src="patients/john-smith/ccda/rendered?secret_token=123abc">
Vulnerability #1: Leaking Referer headers This C-CDA includes a reference to an external image. The rendered HTML view includes an img tag that will point to an external host ( This can be dangerous because browsers will include a "Referer" header on each image load request, which includes the full URL of the current page. If there's secret state embedded in the current page URL, will learn it. In the example above, the external site learns the value of secret_token each time an image loads.
Vulnerability #2: Cross-site scripting This C-CDA includes malicious style and onmouseover attributes (in violation of the CDA specification!) that lead to dangerous rendered HTML. The rendered HTML includes a hidden full-screen table that will run arbitrary JavaScript code any time the mouse moves over the document. Such code has access to all state assocaited with the page origin used inside the iframe. This includes:
  • Page URL
  • Cookies associated with the domain
  • localStorage data associated wtih the domain
  • ... and if the iframe shares its domain with the parent window, it has full access to all application state via window.parent

Source files on GitHub &