11885 2006-12-19 16:09:03 -0800 Cross-frame scripting checks should not restrict access to data: URLs 2023-01-10 16:18:11 -0800 1 1 1 Unclassified WebKit WebCore JavaScript 420+ Mac OS X 10.4 NEW https://bugs.webkit.org/show_bug.cgi?id=250418 P2 Normal --- 1 ggaren webkit-unassigned abarth ap dbates gavin.sharp jchaffraix jruderman jschuh jwalden+bwo sam webkit oldest_to_newest 41077 0 ggaren 2006-12-19 16:09:03 -0800 See http://bugs.webkit.org/attachment.cgi?id=11925 for an example of a script that fails because of it. 68091 1 sam 2008-01-23 22:33:51 -0800 I don't think it would be a good idea to completely remove the restriction, but rather we need to define a safe subset of cases when cross-frame scripting with data: URL is allowed. It would a good first step to document exactly what Firefox and Opera do. 68092 2 abarth 2008-01-23 22:39:46 -0800 Some of the other folks CCed on this bug may know the Firefox and Opera behavior off-hand, but Collin and I would be happy to try to figure it out experimentally. 68187 3 mjs 2008-01-24 21:15:40 -0800 I believe the current behavior of Firefox is an XSS security risk. 68188 4 jruderman 2008-01-24 21:27:35 -0800 See https://bugzilla.mozilla.org/show_bug.cgi?id=255107 for some discussion of the security risk. 109783 5 abarth 2009-02-14 16:40:25 -0800 HTML 5 specs Firefox's behavior: "If a Document or image was generated from a data: URL found in another Document or in a script The origin is the origin of the Document or script in which the data: URL was found." 205551 6 ojan 2010-03-29 11:11:04 -0700 Some of the public-web-security discussion: http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0112.html http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0121.html I firmly believe we should try to make the Gecko policy work, mainly for the reasons Maciej stated in the second of those links. It makes iframes much easier to work with. 306024 7 73217 abarth 2010-11-07 23:45:33 -0800 Created attachment 73217 Wrong patch (has vulnerabilities) 306026 8 abarth 2010-11-07 23:46:35 -0800 I think we should do this, but the implementation is not trivial. The approach in the above patch doesn't work, sadly. 73217 2010-11-07 23:45:33 -0800 2010-11-07 23:45:33 -0800 Wrong patch (has vulnerabilities) bug-11885-20101107234531.patch text/plain 4266 abarth SW5kZXg6IFdlYkNvcmUvZG9tL0RvY3VtZW50LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2Rv bS9Eb2N1bWVudC5jcHAJKHJldmlzaW9uIDcxNTAwKQorKysgV2ViQ29yZS9kb20vRG9jdW1lbnQu Y3BwCSh3b3JraW5nIGNvcHkpCkBAIC00NDA2LDEzICs0NDA2LDIxIEBAIHZvaWQgRG9jdW1lbnQ6 OmluaXRTZWN1cml0eUNvbnRleHQoKQogICAgIEZyYW1lKiBvd25lckZyYW1lID0gbV9mcmFtZS0+ dHJlZSgpLT5wYXJlbnQoKTsKICAgICBpZiAoIW93bmVyRnJhbWUpCiAgICAgICAgIG93bmVyRnJh bWUgPSBtX2ZyYW1lLT5sb2FkZXIoKS0+b3BlbmVyKCk7CisgICAgaWYgKCFvd25lckZyYW1lKQor ICAgICAgICByZXR1cm47CiAKLSAgICBpZiAob3duZXJGcmFtZSkgewotICAgICAgICBtX2Nvb2tp ZVVSTCA9IG93bmVyRnJhbWUtPmRvY3VtZW50KCktPmNvb2tpZVVSTCgpOwotICAgICAgICAvLyBX ZSBhbGlhcyB0aGUgU2VjdXJpdHlPcmlnaW5zIHRvIG1hdGNoIEZpcmVmb3gsIHNlZSBCdWcgMTUz MTMKKyAgICBtX2Nvb2tpZVVSTCA9IG93bmVyRnJhbWUtPmRvY3VtZW50KCktPmNvb2tpZVVSTCgp OworICAgIGlmIChtX3VybC5wcm90b2NvbElzKCJhYm91dCIpKSB7CisgICAgICAgIC8vIFRoZSBh Ym91dCBzY2hlbWUgaGFzIHNvbWUgb2RkIGxlZ2FjeSBiZWhhdmlvci4gIEluc3RlYWQgb2YgY29w eWluZworICAgICAgICAvLyB0aGUgU2VjdXJpdHlPcmlnaW4gZnJvbSB0aGUgb3duZXJGcmFtZSwg d2UgYWxpYXMgdGhlIHR3byBvYmplY3RzCisgICAgICAgIC8vIHN1Y2ggdGhhdCBtdXRhdGluZyBv bmUgb2YgdGhlIHNlY3VyaXR5IG9yaWdpbnMgYWN0dWFsbHkgbXV0YXRlcyB0aGUKKyAgICAgICAg Ly8gb3RoZXIuICBTZWUgQnVnIDE1MzEzIGZvciBkZXRhaWxzLgogICAgICAgICAvLyBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTUzMTMKICAgICAgICAgU2NyaXB0RXhl Y3V0aW9uQ29udGV4dDo6c2V0U2VjdXJpdHlPcmlnaW4ob3duZXJGcmFtZS0+ZG9jdW1lbnQoKS0+ c2VjdXJpdHlPcmlnaW4oKSk7CisgICAgICAgIHJldHVybjsKICAgICB9CisgICAgLy8gVXNpbmcg dGhyZWFkc2FmZUNvcHkgaXMgYSBiaXQgb2Ygb3ZlcmtpbGwgaGVyZSwgYnV0IGl0IHNob3VsZCB3 b3JrLgorICAgIFNjcmlwdEV4ZWN1dGlvbkNvbnRleHQ6OnNldFNlY3VyaXR5T3JpZ2luKG93bmVy RnJhbWUtPmRvY3VtZW50KCktPnNlY3VyaXR5T3JpZ2luKCktPnRocmVhZHNhZmVDb3B5KCkpOwog fQogCiB2b2lkIERvY3VtZW50OjpzZXRTZWN1cml0eU9yaWdpbihTZWN1cml0eU9yaWdpbiogc2Vj dXJpdHlPcmlnaW4pCkluZGV4OiBXZWJDb3JlL3BhZ2UvU2VjdXJpdHlPcmlnaW4uY3BwCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIFdlYkNvcmUvcGFnZS9TZWN1cml0eU9yaWdpbi5jcHAJKHJldmlzaW9uIDcxNTAw KQorKysgV2ViQ29yZS9wYWdlL1NlY3VyaXR5T3JpZ2luLmNwcAkod29ya2luZyBjb3B5KQpAQCAt NzQsOCArNzQsOCBAQCBTZWN1cml0eU9yaWdpbjo6U2VjdXJpdHlPcmlnaW4oY29uc3QgS1VSCiAg ICAgLCBtX2RvbWFpbldhc1NldEluRE9NKGZhbHNlKQogICAgICwgbV9lbmZvcmNlRmlsZVBhdGhT ZXBhcmF0aW9uKGZhbHNlKQogewotICAgIC8vIFRoZXNlIHByb3RvY29scyBkbyBub3QgY3JlYXRl IHNlY3VyaXR5IG9yaWdpbnM7IHRoZSBvd25lciBmcmFtZSBwcm92aWRlcyB0aGUgb3JpZ2luCi0g ICAgaWYgKG1fcHJvdG9jb2wgPT0gImFib3V0IiB8fCBtX3Byb3RvY29sID09ICJqYXZhc2NyaXB0 IikKKyAgICAvLyBUaGVzZSBwcm90b2NvbHMgZG8gbm90IGNyZWF0ZSBzZWN1cml0eSBvcmlnaW5z OyB0aGUgb3duZXIgZnJhbWUgcHJvdmlkZXMgdGhlIG9yaWdpbi4KKyAgICBpZiAobV9wcm90b2Nv bCA9PSAiYWJvdXQiIHx8IG1fcHJvdG9jb2wgPT0gImphdmFzY3JpcHQiIHx8IG1fcHJvdG9jb2wg PT0gImRhdGEiKQogICAgICAgICBtX3Byb3RvY29sID0gIiI7CiAKICAgICAvLyBGb3IgZWRnZSBj YXNlIFVSTHMgdGhhdCB3ZXJlIHByb2JhYmx5IG1pc3BhcnNlZCwgbWFrZSBzdXJlIHRoYXQgdGhl IG9yaWdpbiBpcyB1bmlxdWUuCkBAIC0yMzIsMTEgKzIzMiwxNyBAQCBib29sIFNlY3VyaXR5T3Jp Z2luOjpjYW5SZXF1ZXN0KGNvbnN0IEtVCiAgICAgaWYgKG1fdW5pdmVyc2FsQWNjZXNzKQogICAg ICAgICByZXR1cm4gdHJ1ZTsKIAorICAgIC8vIEl0J3MgYWx3YXlzIHNhZmUgdG8gcmVxdWVzdCBk YXRhIFVSTHMgYmVjYXVzZSB0aGUgcmVxdWVzdGVyIGFscmVhZHkKKyAgICAvLyBrbm93cyB0aGUg Y29udGVudHMgb2YgdGhlIGRhdGEgVVJMLCBldmVuIGlmIHRoZXkncmUgYSB1bmlxdWUgb3JpZ2lu LgorICAgIGlmICh1cmwucHJvdG9jb2xJc0RhdGEoKSkKKyAgICAgICAgcmV0dXJuIHRydWU7CisK ICAgICBpZiAoaXNVbmlxdWUoKSkKICAgICAgICAgcmV0dXJuIGZhbHNlOwogCiAgICAgUmVmUHRy PFNlY3VyaXR5T3JpZ2luPiB0YXJnZXRPcmlnaW4gPSBTZWN1cml0eU9yaWdpbjo6Y3JlYXRlKHVy bCk7CiAKKyAgICAvLyBGSVhNRTogVGhpcyBzcGVjaWFsIGV4Y2VwdGlvbiBmb3IgYmxvYiBVUkxz IHNlZW1zIHdyb25nLgogICAgIGJvb2wgZG9VbmlxdWVPcmlnaW5DaGVjayA9IHRydWU7CiAjaWYg RU5BQkxFKEJMT0IpCiAgICAgLy8gRm9yIGJsb2Igc2NoZW1lLCB3ZSB3YW50IHRvIGlnbm9yZSB0 aGlzIGNoZWNrLgpAQCAtMjU4LDE5ICsyNjQsOCBAQCBib29sIFNlY3VyaXR5T3JpZ2luOjpjYW5S ZXF1ZXN0KGNvbnN0IEtVCiAKIGJvb2wgU2VjdXJpdHlPcmlnaW46OnRhaW50c0NhbnZhcyhjb25z dCBLVVJMJiB1cmwpIGNvbnN0CiB7Ci0gICAgaWYgKGNhblJlcXVlc3QodXJsKSkKLSAgICAgICAg cmV0dXJuIGZhbHNlOwotCi0gICAgLy8gVGhpcyBmdW5jdGlvbiBleGlzdHMgYmVjYXVzZSB3ZSB0 cmVhdCBkYXRhIFVSTHMgYXMgaGF2aW5nIGEgdW5pcXVlIG9yaWdpbiwKLSAgICAvLyBjb250cmFy eSB0byB0aGUgY3VycmVudCAoOS8xOS8yMDA5KSBkcmFmdCBvZiB0aGUgSFRNTDUgc3BlY2lmaWNh dGlvbi4KLSAgICAvLyBXZSBzdGlsbCB3YW50IHRvIGxldCBmb2xrcyBwYWludCBkYXRhIFVSTHMg b250byB1bnRhaW50ZWQgY2FudmFzZXMsIHNvCi0gICAgLy8gd2Ugc3BlY2lhbCBjYXNlIGRhdGEg VVJMcyBiZWxvdy4gSWYgd2UgY2hhbmdlIHRvIG1hdGNoIEhUTUw1IHcuci50LgotICAgIC8vIGRh dGEgVVJMIHNlY3VyaXR5LCB0aGVuIHdlIGNhbiByZW1vdmUgdGhpcyBmdW5jdGlvbiBpbiBmYXZv ciBvZgotICAgIC8vICFjYW5SZXF1ZXN0LgotICAgIGlmICh1cmwucHJvdG9jb2xJc0RhdGEoKSkK LSAgICAgICAgcmV0dXJuIGZhbHNlOwotCi0gICAgcmV0dXJuIHRydWU7CisgICAgLy8gRklYTUU6 IFJlbW92ZSB0aGlzIGZ1bmN0aW9uIGFuZCBoYXZlIGNhbGxlcnMganVzdCBjYWxsIGNhblJlcXVl c3QgZGlyZWN0bHkuCisgICAgcmV0dXJuICFjYW5SZXF1ZXN0KHVybCk7CiB9CiAKIGJvb2wgU2Vj dXJpdHlPcmlnaW46OmlzQWNjZXNzV2hpdGVMaXN0ZWQoY29uc3QgU2VjdXJpdHlPcmlnaW4qIHRh cmdldE9yaWdpbikgY29uc3QKSW5kZXg6IFdlYkNvcmUvcGxhdGZvcm0vU2NoZW1lUmVnaXN0cnku Y3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvcGxhdGZvcm0vU2NoZW1lUmVnaXN0cnkuY3BwCShy ZXZpc2lvbiA3MTUwMCkKKysrIFdlYkNvcmUvcGxhdGZvcm0vU2NoZW1lUmVnaXN0cnkuY3BwCSh3 b3JraW5nIGNvcHkpCkBAIC02MiwxMSArNjIsNiBAQCBzdGF0aWMgVVJMU2NoZW1lc01hcCYgc2No ZW1lc1dpdGhVbmlxdWVPCiB7CiAgICAgREVGSU5FX1NUQVRJQ19MT0NBTChVUkxTY2hlbWVzTWFw LCBzY2hlbWVzV2l0aFVuaXF1ZU9yaWdpbnMsICgpKTsKIAotICAgIC8vIFRoaXMgaXMgYSB3aWxs ZnVsIHZpb2xhdGlvbiBvZiBIVE1MNS4KLSAgICAvLyBTZWUgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTExODg1Ci0gICAgaWYgKHNjaGVtZXNXaXRoVW5pcXVlT3JpZ2lu cy5pc0VtcHR5KCkpCi0gICAgICAgIHNjaGVtZXNXaXRoVW5pcXVlT3JpZ2lucy5hZGQoImRhdGEi KTsKLQogICAgIHJldHVybiBzY2hlbWVzV2l0aFVuaXF1ZU9yaWdpbnM7CiB9CiAK