16073 2007-11-20 10:35:03 -0800 xss possible because of a bug in Document::setDomain 2007-11-26 17:53:10 -0800 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC OS X 10.4 RESOLVED FIXED InRadar P2 Major --- 1 ian.eng.webkit webkit-unassigned ddkilzer sam oldest_to_newest 61805 0 ian.eng.webkit 2007-11-20 10:35:03 -0800 Document::setDomain updates securityOrigin to new domain even when new domain is not a suffix of the current domain. If frame A and B change their domains to an invalid third party domain, A and B are accessible to each other even when there are from different domain. A layout test and fix is coming. 61814 1 mrowe 2007-11-20 12:14:17 -0800 <rdar://problem/5609222> 61859 2 17421 ian.eng.webkit 2007-11-20 16:10:21 -0800 Created attachment 17421 A patch with a test A test case according to the format. Feel free to change. 61864 3 17421 sam 2007-11-20 16:55:02 -0800 Comment on attachment 17421 A patch with a test Assuming you tested the test case before and after the change, r=me. It's not that important, but Document::setDomain is also in need of a little love to get rid of those nasty nested ifs. Early return for the win. 61866 4 ian.eng.webkit 2007-11-20 16:59:42 -0800 (In reply to comment #3) > (From update of attachment 17421 [edit]) > Assuming you tested the test case before and after the change, r=me. Yes. > > It's not that important, but Document::setDomain is also in need of a little > love to get rid of those nasty nested ifs. Early return for the win. > Can we get rid of Document::m_domain and use m_securityOrigin.host() instead? Looks like it is not much useful. 61876 5 ian.eng.webkit 2007-11-20 19:04:50 -0800 Thanks, are you going to land the patch soon? (In reply to comment #3) > (From update of attachment 17421 [edit]) > Assuming you tested the test case before and after the change, r=me. > > It's not that important, but Document::setDomain is also in need of a little > love to get rid of those nasty nested ifs. Early return for the win. > 61877 6 17421 aroben 2007-11-20 20:12:59 -0800 Comment on attachment 17421 A patch with a test Whoever lands this patch should split the ChangeLog entry and put it in WebCore/ChangeLog and LayoutTests/ChangeLog, instead of at the top level. 61953 7 ian.eng.webkit 2007-11-21 16:03:12 -0800 The patch is over-restricted. It should allow set to the same domain. So it needs a fix before getting the length of domain names. // Both NS and IE specify that changing the domain is only allowed when // the new domain is a suffix of the old domain. // FIXME: We should add logging indicating why a domain was not allowed. // NOTE: If the new domain is the same as the old domain, still call // m_securityOrigin.setDomainForDOM. This will change the // security check behavior. For example, if a page with https:// scheme // assigns its current domain to document.domain, the page will // allow other http:// (and ports) pages in the same domain to // access this page. Firefox and Safari behaves like this. // Is this a good design? if (m_domain == newDomain) { m_securityOrigin.setDomainFromDOM(newDomain); return; } int oldLength = m_domain.length(); int newLength = newDomain.length(); // e.g. newDomain=kde.org (7) and m_domain=www.kde.org (11) Layout test, http/tests/security/cross-frame-access-port-explicit-domain.html failed due to this. I verified that Firefox and Safari both allow change document.document to the current domain, and treat it as set by DOM after that, so cross frame access is possible when protocol and port are different. 61954 8 ian.eng.webkit 2007-11-21 16:20:20 -0800 More test results: Firefox does not allow http to access https even when both domain are the same and set to themselves. Sounds reasonable. 62417 9 sam 2007-11-26 17:53:10 -0800 Fix landed in r28062. 17421 2007-11-20 16:10:21 -0800 2007-11-20 16:55:13 -0800 A patch with a test bug16073.patch text/plain 4448 ian.eng.webkit SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDI3OTMz KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAKKzIwMDctMTEt MjAgIEZlbmcgUWlhbiA8aWFuLmVuZy53ZWJraXRAZ21haWwuY29tPgorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEZpeGVkIGlzc3VlIDE2MDczLgorCisg ICAgICAgIEFkZGVkIGEgbGF5b3V0IHRlc3QuCisKKyAgICAgICAgKiBMYXlvdXRUZXN0c1xodHRw XHRlc3RzXHNlY3VyaXR5XHJlc291cmNlc1xpZnJhbWUtaW52YWxpZC1kb21haW4tY2hhbmdlLmh0 bWw6IEFkZGVkLgorICAgICAgICAqIExheW91dFRlc3RzXGh0dHBcdGVzdHNcc2VjdXJpdHlceHNz LURFTklFRC1pbnZhbGlkLWRvbWFpbi1jaGFuZ2UtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAg ICAgKiBMYXlvdXRUZXN0c1xodHRwXHRlc3RzXHNlY3VyaXR5XHhzcy1ERU5JRUQtaW52YWxpZC1k b21haW4tY2hhbmdlLmh0bWw6IEFkZGVkLgorICAgICAgICAqIFdlYkNvcmVcZG9tXERvY3VtZW50 LmNwcDoKKwogMjAwNy0xMS0yMCAgTWFyayBSb3dlICA8bXJvd2VAYXBwbGUuY29tPgogCiAgICAg ICAgIFJldmlld2VkIGJ5IEFscCBUb2tlci4KSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMv c2VjdXJpdHkvcmVzb3VyY2VzL2lmcmFtZS1pbnZhbGlkLWRvbWFpbi1jaGFuZ2UuaHRtbAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3Jlc291cmNlcy9pZnJh bWUtaW52YWxpZC1kb21haW4tY2hhbmdlLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0 cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3Jlc291cmNlcy9pZnJhbWUtaW52YWxpZC1kb21haW4tY2hh bmdlLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTEgQEAKKzxib2R5PgorU29tZSB0ZXh0 IGhlcmUuCis8c2NyaXB0PgorLy8gU2hvdWxkIG5vdCBjaGFuZ2UgdGhlIGRvbWFpbi4KK3RyeSB7 CisgIGRvY3VtZW50LmRvbWFpbiA9ICdhcHBsZS5jb20nOworfSBjYXRjaCAoZSkgeworfQorCis8 L3NjcmlwdD4KKzwvYm9keT4KClByb3BlcnR5IGNoYW5nZXMgb246IExheW91dFRlc3RzXGh0dHBc dGVzdHNcc2VjdXJpdHlccmVzb3VyY2VzXGlmcmFtZS1pbnZhbGlkLWRvbWFpbi1jaGFuZ2UuaHRt bApfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fCk5hbWU6IHN2bjplb2wtc3R5bGUKICAgKyBMRgoKSW5kZXg6IExheW91dFRl c3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzLURFTklFRC1pbnZhbGlkLWRvbWFpbi1jaGFuZ2Ut ZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkveHNzLURFTklFRC1pbnZhbGlkLWRvbWFpbi1jaGFuZ2UtZXhwZWN0ZWQudHh0CShyZXZpc2lv biAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3MtREVOSUVELWludmFs aWQtZG9tYWluLWNoYW5nZS1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsNCBA QAorQ09OU09MRSBNRVNTQUdFOiBsaW5lIDE6IFVuc2FmZSBKYXZhU2NyaXB0IGF0dGVtcHQgdG8g YWNjZXNzIGZyYW1lIHdpdGggVVJMIGh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9zZWN1cml0eS9yZXNv dXJjZXMvaWZyYW1lLWludmFsaWQtZG9tYWluLWNoYW5nZS5odG1sIGZyb20gZnJhbWUgd2l0aCBV UkwgaHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L3hzcy1ERU5JRUQtaW52YWxpZC1kb21h aW4tY2hhbmdlLmh0bWwuIERvbWFpbnMsIHByb3RvY29scyBhbmQgcG9ydHMgbXVzdCBtYXRjaC4K KworCitQQVNTOiBjcm9zcy1zaXRlIG5vdCBhY2Nlc3MgYWxsb3dlZAoKUHJvcGVydHkgY2hhbmdl cyBvbjogTGF5b3V0VGVzdHNcaHR0cFx0ZXN0c1xzZWN1cml0eVx4c3MtREVOSUVELWludmFsaWQt ZG9tYWluLWNoYW5nZS1leHBlY3RlZC50eHQKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpOYW1lOiBzdm46ZW9sLXN0eWxl CiAgICsgbmF0aXZlCgpJbmRleDogTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3Mt REVOSUVELWludmFsaWQtZG9tYWluLWNoYW5nZS5odG1sCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRl c3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzLURFTklFRC1pbnZhbGlkLWRvbWFpbi1jaGFuZ2Uu aHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNz LURFTklFRC1pbnZhbGlkLWRvbWFpbi1jaGFuZ2UuaHRtbAkocmV2aXNpb24gMCkKQEAgLTAsMCAr MSwzNCBAQAorPGh0bWw+Cis8Ym9keT4KKzxpZnJhbWUgbmFtZT0nYUZyYW1lJyBzcmM9J2h0dHA6 Ly9sb2NhbGhvc3Q6ODAwMC9zZWN1cml0eS9yZXNvdXJjZXMvaWZyYW1lLWludmFsaWQtZG9tYWlu LWNoYW5nZS5odG1sJz48L2lmcmFtZT4KKworPGRpdiBpZD0iY29uc29sZSI+PC9kaXY+Cis8L2Jv ZHk+Cis8c2NyaXB0PgoraWYgKHdpbmRvdy5sYXlvdXRUZXN0Q29udHJvbGxlcikgeworICAgIGxh eW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKyAgICBsYXlvdXRUZXN0Q29udHJvbGxl ci53YWl0VW50aWxEb25lKCk7Cit9CisKK3RyeSB7CisgIC8vIGNoYW5nZSBvd24gZG9tYWluIHRv IGFuIGludmFsaWQgb25lCisgIGRvY3VtZW50LmRvbWFpbiA9ICdhcHBsZS5jb20nOworfSBjYXRj aCAoZSkgeworfQorCit3aW5kb3cub25sb2FkID0gY3Jvc3NfZnJhbWVfYWNjZXNzOworCitmdW5j dGlvbiBjcm9zc19mcmFtZV9hY2Nlc3MoKSB7CisgIHZhciBhZnJhbWUgPSB3aW5kb3cuZnJhbWVz WzBdOworICB0cnkgeworICAgIGlmICh0eXBlb2YgYWZyYW1lLmRvY3VtZW50ID09ICd1bmRlZmlu ZWQnKSB0aHJvdyAxOworICAgIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJjb25zb2xlIikuaW5u ZXJIVE1MID0gIkZBSUw6IGNyb3NzLXNpdGUgYWNjZXNzIGFsbG93ZWQiOworICB9IGNhdGNoIChl KSB7CisgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNvbnNvbGUiKS5pbm5lckhUTUwgPSAi UEFTUzogY3Jvc3Mtc2l0ZSBub3QgYWNjZXNzIGFsbG93ZWQiOworICB9CisKKyAgaWYgKHdpbmRv dy5sYXlvdXRUZXN0Q29udHJvbGxlcikKKyAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5ub3RpZnlE b25lKCk7Cit9Cis8L3NjcmlwdD4KKzwvaHRtbD4KClByb3BlcnR5IGNoYW5nZXMgb246IExheW91 dFRlc3RzXGh0dHBcdGVzdHNcc2VjdXJpdHlceHNzLURFTklFRC1pbnZhbGlkLWRvbWFpbi1jaGFu Z2UuaHRtbApfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fCk5hbWU6IHN2bjplb2wtc3R5bGUKICAgKyBMRgoKSW5kZXg6IFdl YkNvcmUvZG9tL0RvY3VtZW50LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2RvbS9Eb2N1bWVu dC5jcHAJKHJldmlzaW9uIDI3OTMwKQorKysgV2ViQ29yZS9kb20vRG9jdW1lbnQuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC0yNjI3LDEyICsyNjI3LDEyIEBAIHZvaWQgRG9jdW1lbnQ6OnNldERvbWFp bihjb25zdCBTdHJpbmcmIG4KICAgICAgICAgICAgIC8vIE5vdyB0ZXN0IGlzICJrZGUub3JnIiBm cm9tIG1fZG9tYWluCiAgICAgICAgICAgICAvLyBhbmQgd2UgY2hlY2sgdGhhdCBpdCdzIHRoZSBz YW1lIHRoaW5nIGFzIG5ld0RvbWFpbgogICAgICAgICAgICAgdGVzdC5yZW1vdmUoMCwgb2xkTGVu Z3RoIC0gbmV3TGVuZ3RoKTsKLSAgICAgICAgICAgIGlmICh0ZXN0ID09IG5ld0RvbWFpbikKKyAg ICAgICAgICAgIGlmICh0ZXN0ID09IG5ld0RvbWFpbikgewogICAgICAgICAgICAgICAgIG1fZG9t YWluID0gbmV3RG9tYWluOworICAgICAgICAgICAgICAgIG1fc2VjdXJpdHlPcmlnaW4uc2V0RG9t YWluRnJvbURPTShuZXdEb21haW4pOworICAgICAgICAgICAgfQogICAgICAgICB9CiAgICAgfQot Ci0gICAgbV9zZWN1cml0eU9yaWdpbi5zZXREb21haW5Gcm9tRE9NKG5ld0RvbWFpbik7CiB9CiAK IHZvaWQgRG9jdW1lbnQ6OnNldERvbWFpbkludGVybmFsKGNvbnN0IFN0cmluZyYgbmV3RG9tYWlu KQo=