16824 2008-01-10 13:44:01 -0800 Script authorization should follow lexical (not dynamic) scope 2012-06-11 11:38:52 -0700 1 1 1 Unclassified WebKit WebCore JavaScript 528+ (Nightly build) All All RESOLVED FIXED http://crypto.stanford.edu/~abarth/research/webkit/static/ InRadar P2 Normal --- 16011 1 abarth webkit-unassigned arv brendan collinj ggaren koivisto mal mjs sam oldest_to_newest 66794 0 abarth 2008-01-10 13:44:01 -0800 There are two methods for determining the security context associated with a given script: 1) Lexical scope: Pick the principal associated with the document that contains the script. 2) Dynamic scope: Walk up the run-time stack and pick the principal associated with the top-most stack frame. Firefox and Internet Explorer use the lexical scope for authorization. Safari and Opera use the dynamic scope for authorization. HTML 5 specifies that user agents use the lexical scope: "The origin of the script is the origin of the Document to which the script element belongs." <http://www.whatwg.org/specs/web-apps/current-work/#origin> WebKit should match Firefox, Internet Explorer, and the HTML 5 spec by using the lexical scope for authorization. 66797 1 18375 abarth 2008-01-10 13:48:07 -0800 Created attachment 18375 Preliminary patch Attached is a preliminary patch. It breaks 4 security LayoutTests. This seems to be because DOMWindow retains its m_frame pointer after the frame has navigated to a new URL. 66803 2 abarth 2008-01-10 13:53:22 -0800 > It breaks 4 security LayoutTests. Oops. Typo. 6 security LayoutTests. 66817 3 18379 collinj 2008-01-10 15:05:32 -0800 Created attachment 18379 Example of dangers of dynamic scope (needs to be run from a file URL) Dynamic scope makes it extremely difficult to write correct code when code from different origins interacts (for example, when a file:// page access an http:// page in bug 16011). Here is a test case that is designed to be run from a file:// URL. It creates an iframe to an http://crypto.stanford.edu/ page and implicitly calls the toString() method of that frame: "My child is " + frames[0] Because dynamic scope is used, the crypto.stanford.edu page can hijack the privileges of its parent file:// page and steal your cookies from any site. If lexical scope were employed, the attacker could still overwrite the toString() method but wouldn't gain any additional privileges. This is hard for web attackers to exploit because Safari prevents web sites from directing the browsers from file:// URLs. As shown by the LayoutTest included in the patch, however, http sites can also run into this problem using document.domain. 66821 4 collinj 2008-01-10 15:11:32 -0800 > This is hard for web attackers to exploit because Safari prevents web sites > from directing the browsers from file:// URLs. Oops. Typo. Safari prevents web sites from directing the browser *to* file:// URLs. 66876 5 ddkilzer 2008-01-10 21:32:46 -0800 <rdar://problem/5683032> 69730 6 abarth 2008-02-07 23:10:08 -0800 I don't have access to <rdar://problem/5698200> (a compatibility issue with eBay), but it appears to be a duplicate of this bug. The patch committed for that issue (r30009) seems to be wrong. That patch first checks access using dynamic authorization, and, if that fails because document.domain was set, retries the access check with static authorization. The correct fix would appear to be to adopt static authorization (matching IE and Firefox) as recommended in this bug. 79402 7 sam 2008-05-01 19:13:03 -0700 Fixed in r32791. 18375 2008-01-10 13:48:07 -0800 2008-01-10 13:48:07 -0800 Preliminary patch lexical.patch text/plain 4977 abarth SW5kZXg6IFdlYkNvcmUvYmluZGluZ3MvanMva2pzX3dpbmRvdy5oCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdl YkNvcmUvYmluZGluZ3MvanMva2pzX3dpbmRvdy5oCShyZXZpc2lvbiAyOTM0MikKKysrIFdlYkNv cmUvYmluZGluZ3MvanMva2pzX3dpbmRvdy5oCSh3b3JraW5nIGNvcHkpCkBAIC0xMjQsNyArMTI0 LDcgQEAKICAgICB2aXJ0dWFsIGJvb2wgc2hvdWxkSW50ZXJydXB0U2NyaXB0KCkgY29uc3Q7CiAK ICAgICB2aXJ0dWFsIGJvb2wgYWxsb3dzQWNjZXNzRnJvbShjb25zdCBKU0dsb2JhbE9iamVjdCop IGNvbnN0OwotICAgIGJvb2wgYWxsb3dzQWNjZXNzRnJvbShFeGVjU3RhdGUqIGV4ZWMpIGNvbnN0 IHsgcmV0dXJuIGFsbG93c0FjY2Vzc0Zyb20oZXhlYy0+ZHluYW1pY0dsb2JhbE9iamVjdCgpKTsg fQorICAgIGJvb2wgYWxsb3dzQWNjZXNzRnJvbShFeGVjU3RhdGUqIGV4ZWMpIGNvbnN0IHsgcmV0 dXJuIGFsbG93c0FjY2Vzc0Zyb20ocmV0cmlldmVBY3RpdmUoZXhlYykpOyB9CiAKICAgICB2aXJ0 dWFsIHZvaWQgZ2V0UHJvcGVydHlOYW1lcyhFeGVjU3RhdGUqLCBQcm9wZXJ0eU5hbWVBcnJheSYp OwogCkluZGV4OiBXZWJDb3JlL2JpbmRpbmdzL2pzL0pTRE9NV2luZG93Q3VzdG9tLmNwcAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBXZWJDb3JlL2JpbmRpbmdzL2pzL0pTRE9NV2luZG93Q3VzdG9tLmNwcAkocmV2 aXNpb24gMjkzNDIpCisrKyBXZWJDb3JlL2JpbmRpbmdzL2pzL0pTRE9NV2luZG93Q3VzdG9tLmNw cAkod29ya2luZyBjb3B5KQpAQCAtMTE3LDcgKzExNyw3IEBACiB7CiAgICAgRE9NV2luZG93KiB3 aW5kb3cgPSBpbXBsKCk7CiAgICAgCi0gICAgRE9NV2luZG93KiBzb3VyY2UgPSBzdGF0aWNfY2Fz dDxKU0RPTVdpbmRvdyo+KGV4ZWMtPmR5bmFtaWNHbG9iYWxPYmplY3QoKSktPmltcGwoKTsKKyAg ICBET01XaW5kb3cqIHNvdXJjZSA9IFdpbmRvdzo6cmV0cmlldmVBY3RpdmUoZXhlYyktPmltcGwo KTsKICAgICBTdHJpbmcgZG9tYWluID0gc291cmNlLT5kb2N1bWVudCgpLT5zZWN1cml0eU9yaWdp bigpLT5kb21haW4oKTsKICAgICBTdHJpbmcgdXJpID0gc291cmNlLT5kb2N1bWVudCgpLT5kb2N1 bWVudFVSSSgpOwogICAgIFN0cmluZyBtZXNzYWdlID0gYXJnc1swXS0+dG9TdHJpbmcoZXhlYyk7 CkluZGV4OiBXZWJDb3JlL2JpbmRpbmdzL2pzL0pTRG9jdW1lbnRDdXN0b20uY3BwCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIFdlYkNvcmUvYmluZGluZ3MvanMvSlNEb2N1bWVudEN1c3RvbS5jcHAJKHJldmlzaW9u IDI5MzQyKQorKysgV2ViQ29yZS9iaW5kaW5ncy9qcy9KU0RvY3VtZW50Q3VzdG9tLmNwcAkod29y a2luZyBjb3B5KQpAQCAtNjcsNyArNjcsNyBAQAogCiAgICAgLy8gSUUgYW5kIE1vemlsbGEgYm90 aCByZXNvbHZlIHRoZSBVUkwgcmVsYXRpdmUgdG8gdGhlIHNvdXJjZSBmcmFtZSwKICAgICAvLyBu b3QgdGhlIHRhcmdldCBmcmFtZS4KLSAgICBGcmFtZSogYWN0aXZlRnJhbWUgPSBzdGF0aWNfY2Fz dDxKU0RPTVdpbmRvdyo+KGV4ZWMtPmR5bmFtaWNHbG9iYWxPYmplY3QoKSktPmltcGwoKS0+ZnJh bWUoKTsKKyAgICBGcmFtZSogYWN0aXZlRnJhbWUgPSBXaW5kb3c6OnJldHJpZXZlQWN0aXZlKGV4 ZWMpLT5pbXBsKCktPmZyYW1lKCk7CiAgICAgaWYgKGFjdGl2ZUZyYW1lKQogICAgICAgICBzdHIg PSBhY3RpdmVGcmFtZS0+ZG9jdW1lbnQoKS0+Y29tcGxldGVVUkwoc3RyKTsKIApJbmRleDogV2Vi Q29yZS9iaW5kaW5ncy9qcy9ranNfd2luZG93LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2Jp bmRpbmdzL2pzL2tqc193aW5kb3cuY3BwCShyZXZpc2lvbiAyOTM0MikKKysrIFdlYkNvcmUvYmlu ZGluZ3MvanMva2pzX3dpbmRvdy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTI0OSw3ICsyNDksNyBA QAogCiBXaW5kb3cqIFdpbmRvdzo6cmV0cmlldmVBY3RpdmUoRXhlY1N0YXRlKiBleGVjKQogewot ICAgIEpTR2xvYmFsT2JqZWN0KiBnbG9iYWxPYmplY3QgPSBleGVjLT5keW5hbWljR2xvYmFsT2Jq ZWN0KCk7CisgICAgSlNHbG9iYWxPYmplY3QqIGdsb2JhbE9iamVjdCA9IGV4ZWMtPmxleGljYWxH bG9iYWxPYmplY3QoKTsKICAgICBBU1NFUlQoZ2xvYmFsT2JqZWN0KTsKICAgICByZXR1cm4gc3Rh dGljX2Nhc3Q8V2luZG93Kj4oZ2xvYmFsT2JqZWN0KTsKIH0KSW5kZXg6IExheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkvcmVzb3VyY2VzL2F1dGhvcml6YXRpb24tZm9sbG93cy1sZXhpY2Fs LXNjb3BlLWlmcmFtZS5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2h0dHAvdGVzdHMv c2VjdXJpdHkvcmVzb3VyY2VzL2F1dGhvcml6YXRpb24tZm9sbG93cy1sZXhpY2FsLXNjb3BlLWlm cmFtZS5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS9yZXNvdXJjZXMvYXV0aG9yaXphdGlvbi1mb2xsb3dzLWxleGljYWwtc2NvcGUtaWZyYW1lLmh0 bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTMgQEAKKzxodG1sPgorPGJvZHk+Cis8c2NyaXB0 PgorICAgIHZhciBhY2Nlc3NMZXhpY2FsID0gcGFyZW50LmRvY3VtZW50LmRlZmF1bHRWaWV3LmFj Y2Vzc0xleGljYWw7CisgICAgcGFyZW50LmFjY2Vzc0R5bmFtaWMgPSBmdW5jdGlvbigpIHsKKyAg ICAgICAgcGFyZW50LmRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJkeW5hbWljcmVzdWx0IikuaW5u ZXJIVE1MID0KKyAgICAgICAgICAgICJUZXN0IEZhaWxlZDogQWNjZXNzIHdpdGggZHluYW1pYyBh dXRob3JpemF0aW9uIHdhcyBhbGxvd2VkLiI7CisgICAgfQorICAgIGRvY3VtZW50LmRvbWFpbiA9 ICIwLjAuMSI7CisgICAgYWNjZXNzTGV4aWNhbCgpOworPC9zY3JpcHQ+Cis8L2JvZHk+Cis8L2h0 bWw+CkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2F1dGhvcml6YXRpb24t Zm9sbG93cy1sZXhpY2FsLXNjb3BlLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9zZWN1cml0eS9hdXRob3JpemF0aW9uLWZvbGxvd3MtbGV4aWNhbC1zY29wZS5odG1s CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9hdXRob3Jp emF0aW9uLWZvbGxvd3MtbGV4aWNhbC1zY29wZS5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCwwICsx LDQzIEBACis8aHRtbD4KKzxoZWFkPgorPHNjcmlwdD4KKyAgICBpZiAod2luZG93LmxheW91dFRl c3RDb250cm9sbGVyKSB7CisgICAgICAgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQo KTsKKyAgICB9Cis8L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5PgorICAgIDxkaXYgaWQ9ImRpdjAi PgorICAgICAgICBUaGlzIHRlc3QgaXMgdG8gc2VlIHdoZXRoZXIgbGV4aWNhbCAoc3RhdGljKSBz Y29wZSBvciBkeW5hbWljIHNjb3BlIGlzIHVzZWQgZm9yIGF1dGhvcml6YXRpb24uIAorICAgIDwv ZGl2PgorICAgIDxkaXYgaWQ9ImxleGljYWxyZXN1bHQiPlRlc3Qgbm90IHJ1biBjb3JyZWN0bHku PC9kaXY+CisgICAgPGRpdiBpZD0iZHluYW1pY3Jlc3VsdCI+VGVzdCBub3QgcnVuIGNvcnJlY3Rs eS48L2Rpdj4KKyAgICA8c2NyaXB0PgorICAgICAgICB2YXIgbGV4aWNhbHJlc3VsdCA9IGRvY3Vt ZW50LmdldEVsZW1lbnRCeUlkKCJsZXhpY2FscmVzdWx0Iik7CisgICAgICAgIHZhciBkeW5hbWlj cmVzdWx0ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImR5bmFtaWNyZXN1bHQiKTsKKworICAg ICAgICB3aW5kb3cuYWNjZXNzTGV4aWNhbCA9IGZ1bmN0aW9uKCkgeworICAgICAgICAgICAgbGV4 aWNhbHJlc3VsdC5pbm5lckhUTUwgPSAiVGVzdCBQYXNzZWQ6IEFjY2VzcyB3aXRoIGxleGljYWwg YXV0aG9yaXphdGlvbiB3YXMgYWxsb3dlZC4iOworICAgICAgICB9CisKKyAgICAgICAgZnVuY3Rp b24gZmluaXNoKCkgeworICAgICAgICAgICAgaWYgKGxleGljYWxyZXN1bHQuaW5uZXJIVE1MID09 ICJUZXN0IG5vdCBydW4gY29ycmVjdGx5LiIpIHsKKyAgICAgICAgICAgICAgICBsZXhpY2FscmVz dWx0LmlubmVySFRNTCA9ICJUZXN0IEZhaWxlZDogQWNjZXNzIHdpdGggbGV4aWNhbCBhdXRob3Jp emF0aW9uIHdhcyBibG9ja2VkLiI7CisgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIHRyeSB7 CisgICAgICAgICAgICAgICAgd2luZG93LmFjY2Vzc0R5bmFtaWMoKTsKKyAgICAgICAgICAgIH0g Y2F0Y2ggKGV4KSB7CisgICAgICAgICAgICB9CisKKyAgICAgICAgICAgIGlmIChkeW5hbWljcmVz dWx0LmlubmVySFRNTCA9PSAiVGVzdCBub3QgcnVuIGNvcnJlY3RseS4iKSB7CisgICAgICAgICAg ICAgICAgZHluYW1pY3Jlc3VsdC5pbm5lckhUTUwgPSAiVGVzdCBQYXNzZWQuIEFjY2VzcyB3aXRo IGR5bmFtaWMgYXV0aG9yaXphdGlvbiB3YXMgYmxvY2tlZC4iOworICAgICAgICAgICAgfQorCisg ICAgICAgICAgICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAgICAgICAg ICAgIGxheW91dFRlc3RDb250cm9sbGVyLm5vdGlmeURvbmUoKTsKKyAgICAgICAgfQorICAgIDwv c2NyaXB0PgorICAgIDxpZnJhbWUgc3JjPSJyZXNvdXJjZXMvYXV0aG9yaXphdGlvbi1mb2xsb3dz LWxleGljYWwtc2NvcGUtaWZyYW1lLmh0bWwiIG9ubG9hZD0iZmluaXNoKCk7Ij48L2lmcmFtZT4K KzwvYm9keT4KKzwvaHRtbD4K 18379 2008-01-10 15:05:32 -0800 2008-01-10 15:05:32 -0800 Example of dangers of dynamic scope (needs to be run from a file URL) run-from-file-url.html text/html 916 collinj PGh0bWw+DQo8aGVhZD4NCjxzdHlsZT4NCmlmcmFtZSB7IGhlaWdodDogMjUwcHg7IHdpZHRoOiA2 MDBweDsgfQ0KPC9zdHlsZT4NCjxzY3JpcHQ+DQp3aW5kb3cub25sb2FkID0gZnVuY3Rpb24gKCkg ew0KICBpZiAod2luZG93LmxvY2F0aW9uLnByb3RvY29sICE9ICJmaWxlOiIpIHsNCiAgICBkb2N1 bWVudC5nZXRFbGVtZW50QnlJZCgiY29uc29sZSIpLmlubmVySFRNTCA9DQogICAgICAiQ291bGQg bm90IHJ1biB0aGUgdGVzdC4gWW91IG11c3QgdmlldyB0aGlzIHBhZ2UgZnJvbSBhIGZpbGU6Ly8i ICsgDQogICAgICAiIFVSTC4iOw0KICAgIHJldHVybjsNCiAgfQ0KDQogIHRyeSB7IA0KICAgIGRv Y3VtZW50LmdldEVsZW1lbnRCeUlkKCJjb25zb2xlIikuaW5uZXJIVE1MID0NCiAgICAgICJNeSBj aGlsZCBpcyAiICsgZnJhbWVzWzBdOw0KICB9IGNhdGNoKGV4KSB7DQogICAgZG9jdW1lbnQuZ2V0 RWxlbWVudEJ5SWQoImNvbnNvbGUiKS5pbm5lckhUTUwgPSANCiAgICAgICJVbmFibGUgdG8gY2Fs bCBiZWdpblRlc3QoKSBvbiBjaGlsZCBmcmFtZS4gVGhpcyBtYXkgaW5kaWNhdGUgIiArIA0KICAg ICAgInRoYXQgZmlsZTovLyBVUkxzIGNhbm5vdCBhY2Nlc3MgaHR0cDovLyBVUkxzIGluIHlvdXIg YnJvd3Nlci4iOw0KICB9DQp9DQo8L3NjcmlwdD4NCjwvaGVhZD4NCjxib2R5Pg0KPHNjcmlwdD5k b2N1bWVudC53cml0ZShkb2N1bWVudC5sb2NhdGlvbi5ocmVmKTwvc2NyaXB0Pg0KPGRpdj48aWZy YW1lIHNyYz0iaHR0cDovL2NyeXB0by5zdGFuZm9yZC5lZHUvfmFiYXJ0aC9yZXNlYXJjaC93ZWJr aXQvc3RhdGljL2Zyb21GaWxlVXJsLmh0bWwiPjwvaWZyYW1lPjwvZGl2Pg0KPGRpdiBpZD0iY29u c29sZSI+V2FpdGluZyBmb3IgaWZyYW1lIHRvIGxvYWQuLi48L2Rpdj4NCjwvYm9keT4NCjwvaHRt bD4NCg==