15039 2007-08-21 11:12:40 -0700 Cross domain JavaScript injection 2007-08-25 12:16:17 -0700 1 1 1 Unclassified WebKit WebCore JavaScript 523.x (Safari 3) PC All RESOLVED FIXED InRadar P2 Normal --- 1 ian.eng.webkit webkit-unassigned ddkilzer sam oldest_to_newest 1782 0 ian.eng.webkit 2007-08-21 11:12:40 -0700 This has something to do with function closures. Steps to reproduce: 1. Save 'parent.html' and 'child.html' in the same direcotry, and open 'parent.html' in Safari. 2. Click on 'Open Child Window' button, a new tab/window is opened. 3. Click on 'Goto Apple' button, and the parent window is redirected to www.apple.com; 4. Switch to the child window, and click on the button, a dialog pops up and show that the child window can access the parent window contents in a different domain. Firefox prevents the child window to access Window.alert/Window.document, etc. 1780 1 16056 ian.eng.webkit 2007-08-21 11:16:15 -0700 Created attachment 16056 test case (parent.html) 1781 2 16057 ian.eng.webkit 2007-08-21 11:16:49 -0700 Created attachment 16057 test case (child.html) 1779 3 16056 ian.eng.webkit 2007-08-21 11:21:44 -0700 Comment on attachment 16056 test case (parent.html) ><HTML><HEAD> ><SCRIPT> >parent_doc=window.document; >Object.prototype.foo = 'bar'; >function openChild() { > child = window.open("child.html"); >} >function gotoApple() { > var b = child.document.getElementById('btn'); > b.onclick=function() { > alert(window.document.location); > } > // change parent location to different domain > window.location='http://www.apple.com'; >} ></SCRIPT></HEAD><BODY> ><BUTTON onclick="openChild()">Open Child Window</BUTTON> ><BUTTON onclick="gotoApple()">Goto Apple</BUTTON> > ></BODY></HTML> 1771 4 16058 ian.eng.webkit 2007-08-21 11:29:48 -0700 Created attachment 16058 slightly cleaned-up test case (parent.html) 1772 5 16059 ian.eng.webkit 2007-08-21 11:31:02 -0700 Created attachment 16059 sorry, upload the right version again (parent.html) 1775 6 sam 2007-08-21 11:44:54 -0700 <rdar://problem/5426142> 1747 7 ggaren 2007-08-21 18:45:31 -0700 I think the problem may be that we do some security checking via execState, not domain. This example demonstrates why you have to use domain always. 1711 8 ian.eng.webkit 2007-08-22 11:20:37 -0700 Two issues I found: 1. Wrong execution context in EventListener::handleEvent. It should be the frame firing events. (Is it the same as the owner frame of event target?) This is pretty easy to fix, I think. JSAbstractEventListener::handleEvent should use the current execState to run handler function. 2. When navigating to a new URL, new JS environment has the same built-in objects&prototypes as the old one. Both would allow cross domain script injection. 1586 9 16101 ian.eng.webkit 2007-08-23 13:54:28 -0700 Created attachment 16101 patch Only tested the test case, got unsafe scripting exception. Didn't run webkit regression tests. 1473 10 sam 2007-08-25 12:16:17 -0700 A fix for this was landed in r25249. 16056 2007-08-21 11:16:15 -0700 2007-08-21 11:29:48 -0700 test case (parent.html) parent.html text/html 507 ian.eng.webkit PGh0bWw+CjxzY3JpcHQ+CnBhcmVudF9kb2M9d2luZG93LmRvY3VtZW50OwpPYmplY3QucHJvdG90 eXBlLmZvbyA9ICdiYXInOwpmdW5jdGlvbiBvcGVuQ2hpbGQoKSB7CiAgY2hpbGQgPSB3aW5kb3cu b3BlbigiY2hpbGQuaHRtbCIpOwp9CmZ1bmN0aW9uIGdvdG9Hb29nbGUoKSB7CiAgdmFyIGIgPSBj aGlsZC5kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnYnRuJyk7CiAgYi5vbmNsaWNrPWZ1bmN0aW9u KCkgewogICAgYWxlcnQod2luZG93LmRvY3VtZW50LmxvY2F0aW9uKTsKICB9CiAgLy8gY2hhbmdl IHBhcmVudCBsb2NhdGlvbiB0byBkaWZmZXJlbnQgZG9tYWluCiAgd2luZG93LmxvY2F0aW9uPSdo dHRwOi8vd3d3LmFwcGxlLmNvbSc7Cn0KPC9zY3JpcHQ+Cjxib2R5Pgo8YnV0dG9uIG9uY2xpY2s9 Im9wZW5DaGlsZCgpIj5PcGVuIENoaWxkIFdpbmRvdzwvYnV0dG9uPgo8YnV0dG9uIG9uY2xpY2s9 ImdvdG9Hb29nbGUoKSI+R290byBBcHBsZTwvYnV0dG9uPgo8L2JvZHk+CjwvaHRtbD4K 16057 2007-08-21 11:16:49 -0700 2007-08-21 11:16:49 -0700 test case (child.html) child.html text/html 62 ian.eng.webkit PGh0bWw+Cjxib2R5Pgo8YnV0dG9uIGlkPSdidG4nPmNsaWNrPC9idXR0b24+CjwvYm9keT4KPC9o dG1sPgo= 16058 2007-08-21 11:29:48 -0700 2007-08-21 11:31:02 -0700 slightly cleaned-up test case (parent.html) parent.html text/html 505 ian.eng.webkit PGh0bWw+CjxzY3JpcHQ+CnBhcmVudF9kb2M9d2luZG93LmRvY3VtZW50OwpPYmplY3QucHJvdG90 eXBlLmZvbyA9ICdiYXInOwpmdW5jdGlvbiBvcGVuQ2hpbGQoKSB7CiAgY2hpbGQgPSB3aW5kb3cu b3BlbigiY2hpbGQuaHRtbCIpOwp9CmZ1bmN0aW9uIGdvdG9BcHBsZSgpIHsKICB2YXIgYiA9IGNo aWxkLmRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdidG4nKTsKICBiLm9uY2xpY2s9ZnVuY3Rpb24o KSB7CiAgICBhbGVydCh3aW5kb3cuZG9jdW1lbnQubG9jYXRpb24pOwogIH0KICAvLyBjaGFuZ2Ug cGFyZW50IGxvY2F0aW9uIHRvIGRpZmZlcmVudCBkb21haW4KICB3aW5kb3cubG9jYXRpb249J2h0 dHA6Ly93d3cuYXBwbGUuY29tJzsKfQo8L3NjcmlwdD4KPGJvZHk+CjxidXR0b24gb25jbGljaz0i b3BlbkNoaWxkKCkiPk9wZW4gQ2hpbGQgV2luZG93PC9idXR0b24+CjxidXR0b24gb25jbGljaz0i Z290b0FwcGxlKCkiPkdvdG8gQXBwbGU8L2J1dHRvbj4KPC9ib2R5Pgo8L2h0bWw+Cg== 16059 2007-08-21 11:31:02 -0700 2007-08-21 11:31:02 -0700 sorry, upload the right version again (parent.html) parent.html text/html 447 ian.eng.webkit PGh0bWw+CjxzY3JpcHQ+CmZ1bmN0aW9uIG9wZW5DaGlsZCgpIHsKICBjaGlsZCA9IHdpbmRvdy5v cGVuKCJjaGlsZC5odG1sIik7Cn0KZnVuY3Rpb24gZ290b0FwcGxlKCkgewogIHZhciBiID0gY2hp bGQuZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2J0bicpOwogIGIub25jbGljaz1mdW5jdGlvbigp IHsKICAgIGFsZXJ0KHdpbmRvdy5kb2N1bWVudC5sb2NhdGlvbik7CiAgfQogIC8vIGNoYW5nZSBw YXJlbnQgbG9jYXRpb24gdG8gZGlmZmVyZW50IGRvbWFpbgogIHdpbmRvdy5sb2NhdGlvbj0naHR0 cDovL3d3dy5hcHBsZS5jb20nOwp9Cjwvc2NyaXB0Pgo8Ym9keT4KPGJ1dHRvbiBvbmNsaWNrPSJv cGVuQ2hpbGQoKSI+T3BlbiBDaGlsZCBXaW5kb3c8L2J1dHRvbj4KPGJ1dHRvbiBvbmNsaWNrPSJn b3RvQXBwbGUoKSI+R290byBBcHBsZTwvYnV0dG9uPgo8L2JvZHk+CjwvaHRtbD4K 16101 2007-08-23 13:54:28 -0700 2007-08-23 13:54:28 -0700 patch bug15039.patch text/plain 2647 ian.eng.webkit SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAyNTIwNykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTUgQEAKKzIwMDctMDgtMjMgIEZlbmcgUWlhbiA8aWFuLmVuZy53ZWJraXRAZ21h aWwuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IEZpeCBpc3N1ZSAxNTAzOS4gVXNlIGV2ZW50IHRhcmdldCBub2RlJ3MgZnJhbWUgYXMgdGhlIGV4 ZWN1dGlvbgorICAgICAgICBlbnZpcm9ubWVudCB0byBleGVjdXRlIGV2ZW50IGhhbmRsZXIuCisK KyAgICAgICAgKiBiaW5kaW5ncy9qcy9ranNfZXZlbnRzLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6 OkpTQWJzdHJhY3RFdmVudExpc3RlbmVyOjpoYW5kbGVFdmVudCk6CisgICAgICAgICogeG1sL1hN TEh0dHBSZXF1ZXN0Lmg6CisgICAgICAgIChXZWJDb3JlOjpYTUxIdHRwUmVxdWVzdDo6Z2V0T3du ZXJEb2N1bWVudCk6CisKIDIwMDctMDgtMjMgIEFuZGVycyBDYXJsc3NvbiAgPGFuZGVyc2NhQGFw cGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBieSBTdGV2ZS4KSW5kZXg6IFdlYkNvcmUvYmlu ZGluZ3MvanMva2pzX2V2ZW50cy5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9iaW5kaW5ncy9q cy9ranNfZXZlbnRzLmNwcAkocmV2aXNpb24gMjUyMDcpCisrKyBXZWJDb3JlL2JpbmRpbmdzL2pz L2tqc19ldmVudHMuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0zNyw2ICszNyw3IEBACiAjaW5jbHVk ZSAiSlNFdmVudFRhcmdldE5vZGUuaCIKICNpbmNsdWRlICJLVVJMLmgiCiAjaW5jbHVkZSAiUGFn ZS5oIgorI2luY2x1ZGUgIlhNTEh0dHBSZXF1ZXN0LmgiCiAjaW5jbHVkZSAia2pzX3Byb3h5Lmgi CiAjaW5jbHVkZSAia2pzX3dpbmRvdy5oIgogCkBAIC03MSw3ICs3MiwyNiBAQCB2b2lkIEpTQWJz dHJhY3RFdmVudExpc3RlbmVyOjpoYW5kbGVFdmVuCiAgICAgLy8geG1saHR0cHJlcXVlc3Qgb2Jq ZWN0cy4gU2VlIGh0dHA6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEzMjc1CiAg ICAgaWYgKCF3aW5kb3cpCiAgICAgICAgIHJldHVybjsKLSAgICBGcmFtZSAqZnJhbWUgPSB3aW5k b3ctPmltcGwoKS0+ZnJhbWUoKTsKKworICAgIC8vIFVzZSB0aGUgZXZlbnQgdGFyZ2V0J3Mgb3du ZXIgZnJhbWUgYXMgZXhlY3V0aW9uIGNvbnRleHQuCisgICAgLy8gU2VlIGh0dHA6Ly9idWdzL3dl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1MDM5CisgICAgRnJhbWUqIGZyYW1lID0gMDsKKyAg ICB7CisgICAgICAgIEV2ZW50VGFyZ2V0KiB0YXJnZXQgPSBldmVudC0+dGFyZ2V0KCk7CisgICAg ICAgIE5vZGUqIG5vZGUgPSB0YXJnZXQtPnRvTm9kZSgpOworICAgICAgICBpZiAobm9kZSAmJiBu b2RlLT5pbkRvY3VtZW50KCkpIHsKKyAgICAgICAgICAgIERvY3VtZW50KiBkb2N1bWVudCA9IG5v ZGUtPmlzRG9jdW1lbnROb2RlKCkgPworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg c3RhdGljX2Nhc3Q8RG9jdW1lbnQqPihub2RlKSA6CisgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBub2RlLT5vd25lckRvY3VtZW50KCk7CisgICAgICAgICAgICBmcmFtZSA9IGRvY3Vt ZW50LT5mcmFtZSgpOworICAgICAgICB9IGVsc2UgeworICAgICAgICAgICAgLy8gVGhlIHRhcmdl dCBpcyBhIFhNTEh0dHBSZXF1ZXN0IG9iamVjdC4KKyAgICAgICAgICAgIFhNTEh0dHBSZXF1ZXN0 KiB4aHIgPSB0YXJnZXQtPnRvWE1MSHR0cFJlcXVlc3QoKTsKKyAgICAgICAgICAgIERvY3VtZW50 KiBkb2N1bWVudCA9IHhoci0+Z2V0T3duZXJEb2N1bWVudCgpOworICAgICAgICAgICAgZnJhbWUg PSBkb2N1bWVudC0+ZnJhbWUoKTsKKyAgICAgICAgfQorICAgIH0KKyAgCiAgICAgaWYgKCFmcmFt ZSkKICAgICAgICAgcmV0dXJuOwogICAgIEtKU1Byb3h5KiBwcm94eSA9IGZyYW1lLT5zY3JpcHRQ cm94eSgpOwpJbmRleDogV2ViQ29yZS94bWwvWE1MSHR0cFJlcXVlc3QuaAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBXZWJDb3JlL3htbC9YTUxIdHRwUmVxdWVzdC5oCShyZXZpc2lvbiAyNTIwNykKKysrIFdlYkNv cmUveG1sL1hNTEh0dHBSZXF1ZXN0LmgJKHdvcmtpbmcgY29weSkKQEAgLTk5LDYgKzk5LDggQEAg cHVibGljOgogICAgIHZpcnR1YWwgYm9vbCBkaXNwYXRjaEV2ZW50KFBhc3NSZWZQdHI8RXZlbnQ+ LCBFeGNlcHRpb25Db2RlJiwgYm9vbCB0ZW1wRXZlbnQgPSBmYWxzZSk7CiAgICAgRXZlbnRMaXN0 ZW5lcnNNYXAmIGV2ZW50TGlzdGVuZXJzKCkgeyByZXR1cm4gbV9ldmVudExpc3RlbmVyczsgfQog CisgICAgRG9jdW1lbnQqIGdldE93bmVyRG9jdW1lbnQoKSB7IHJldHVybiBtX2RvYzsgfQorCiAg ICAgdXNpbmcgU2hhcmVkPFhNTEh0dHBSZXF1ZXN0Pjo6cmVmOwogICAgIHVzaW5nIFNoYXJlZDxY TUxIdHRwUmVxdWVzdD46OmRlcmVmOwogCg==