RESOLVED FIXED 15039
Cross domain JavaScript injection 
https://bugs.webkit.org/show_bug.cgi?id=15039
Summary Cross domain JavaScript injection
Feng Qian
Reported 2007-08-21 11:12:40 PDT
This has something to do with function closures. Steps to reproduce: 1. Save 'parent.html' and 'child.html' in the same direcotry, and open 'parent.html' in Safari. 2. Click on 'Open Child Window' button, a new tab/window is opened. 3. Click on 'Goto Apple' button, and the parent window is redirected to www.apple.com; 4. Switch to the child window, and click on the button, a dialog pops up and show that the child window can access the parent window contents in a different domain. Firefox prevents the child window to access Window.alert/Window.document, etc.
Attachments
test case (parent.html) (507 bytes, text/html)
2007-08-21 11:16 PDT, Feng Qian 		no flags
Details
test case (child.html) (62 bytes, text/html)
2007-08-21 11:16 PDT, Feng Qian 		no flags
Details
slightly cleaned-up test case (parent.html) (505 bytes, text/html)
2007-08-21 11:29 PDT, Feng Qian 		no flags
Details
sorry, upload the right version again (parent.html) (447 bytes, text/html)
2007-08-21 11:31 PDT, Feng Qian 		no flags
Details
patch (2.58 KB, patch)
2007-08-23 13:54 PDT, Feng Qian 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Feng Qian
Comment 1 2007-08-21 11:16:15 PDT
Created attachment 16056 [details] test case (parent.html)
Feng Qian
Comment 2 2007-08-21 11:16:49 PDT
Created attachment 16057 [details] test case (child.html)
Feng Qian
Comment 3 2007-08-21 11:21:44 PDT
Comment on attachment 16056 [details] test case (parent.html) ><HTML><HEAD> ><SCRIPT> >parent_doc=window.document; >Object.prototype.foo = 'bar'; >function openChild() { > child = window.open("child.html"); >} >function gotoApple() { > var b = child.document.getElementById('btn'); > b.onclick=function() { > alert(window.document.location); > } > // change parent location to different domain > window.location='http://www.apple.com'; >} ></SCRIPT></HEAD><BODY> ><BUTTON onclick="openChild()">Open Child Window</BUTTON> ><BUTTON onclick="gotoApple()">Goto Apple</BUTTON> > ></BODY></HTML>
Feng Qian
Comment 4 2007-08-21 11:29:48 PDT
Created attachment 16058 [details] slightly cleaned-up test case (parent.html)
Feng Qian
Comment 5 2007-08-21 11:31:02 PDT
Created attachment 16059 [details] sorry, upload the right version again (parent.html)
Sam Weinig
Comment 6 2007-08-21 11:44:54 PDT
<rdar://problem/5426142>
Geoffrey Garen
Comment 7 2007-08-21 18:45:31 PDT
I think the problem may be that we do some security checking via execState, not domain. This example demonstrates why you have to use domain always.
Feng Qian
Comment 8 2007-08-22 11:20:37 PDT
Two issues I found: 1. Wrong execution context in EventListener::handleEvent. It should be the frame firing events. (Is it the same as the owner frame of event target?) This is pretty easy to fix, I think. JSAbstractEventListener::handleEvent should use the current execState to run handler function. 2. When navigating to a new URL, new JS environment has the same built-in objects&prototypes as the old one. Both would allow cross domain script injection.
Feng Qian
Comment 9 2007-08-23 13:54:28 PDT
Created attachment 16101 [details] patch Only tested the test case, got unsafe scripting exception. Didn't run webkit regression tests.
Sam Weinig
Comment 10 2007-08-25 12:16:17 PDT
A fix for this was landed in r25249.
Note You need to log in before you can comment on or make changes to this bug.