16387 – Variable names can be enumerated across domains

Bug 16387 - Variable names can be enumerated across domains

Summary: Variable names can be enumerated across domains

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.4

Importance:	P1 Normal
Assignee:	Nobody

URL:	http://mapseekret.com/staticmedia/doc...
Keywords:	HasReduction, InRadar

Depends on:
Blocks:

Reported:	2007-12-10 14:15 PST by Henry Mason
Modified:	2007-12-30 23:02 PST (History)
CC List:	3 users (show)

See Also:

Attachments
patch (6.19 KB, patch) 2007-12-30 22:54 PST, Sam Weinig	oliver: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Henry Mason 2007-12-10 14:15:27 PST

WebKit currently allows for enumeration of all the property names in window object via a JavaScript "for .. in " loop, even when the window object is from a foreign domain. This could cause a security problem if a JavaScript author made the mistake of storing a password in a variable name or something.

I've posted a demonstration of this problem to this bug's URL. Document B sets a global variable named "superSecretThing", document A embeds document B in an iframe, and is able to see the secret variable name from a foreign domain.

Comment 1 Mark Rowe (bdash) 2007-12-10 20:20:23 PST

<rdar://problem/5640454>

Comment 2 Ian 'Hixie' Hickson 2007-12-30 21:19:26 PST

This can, e.g., leak whether a user is logged in on another domain, if that domain initialises variables after the user logs in.

Comment 3 Sam Weinig 2007-12-30 22:54:29 PST

Created attachment 18204 [details]
patch

Comment 4 Sam Weinig 2007-12-30 23:02:28 PST

Landed in r29044.