16968 2008-01-21 23:13:52 -0800 Security violations in Acid3 test 2008-01-29 00:17:35 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Mac OS X 10.4 RESOLVED INVALID http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html P2 Normal --- 1 eric webkit-unassigned abarth collinj gavin.sharp ian jruderman jwalden+bwo mjs sam webkit oldest_to_newest 67919 0 eric 2008-01-21 23:13:52 -0800 Security violations in Acid3 test I expect that these are calls to object.contentDocument. I'm not certain. I'm also not sure if this behavior is correct or not. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match. 67950 1 sam 2008-01-22 09:24:48 -0800 I don't think this is usage of data: URLs is appropriate for the Acid3 test as there is no specification that I know of (in the time frame allowed for Acid3 or after) that defines the behavior of access to data: URLs from JS. Following a strict understanding of the same-origin policy, the behavior should not be allowed as the protocols (or scheme if that is how you roll) differ. Hixie, if you agree, the issue can be mitigated by using a file on the same domain. 68089 2 jruderman 2008-01-23 21:33:33 -0800 Duplicate of bug 11885? 68090 3 jruderman 2008-01-23 21:37:00 -0800 You guys might be interested in https://bugzilla.mozilla.org/show_bug.cgi?id=255107, a Mozilla bug report titled "Prevent data: URLs from being used for XSS". 68540 4 eric 2008-01-29 00:17:35 -0800 Acid3 has changed the test. So I think we can close this and leave bug 11885 to handle any desired changes to data: url handling.