26989 unsaferedirect 2009-07-06 07:37:54 -0700 Should allow cross-origin navigation of top-level openers 2009-09-23 18:57:23 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED http://msdesign.dk/oes/filer/_test.htm InRadar, NeedsReduction P2 Major --- 1 steen sam abarth sam oldest_to_newest 129947 0 steen 2009-07-06 07:37:54 -0700 Feature or bug, I don't know. people on the IRC channel (#webkit) said I should report it as a bug and get my answer that way. On domain http://example1.com we visit the page "page1.html", here we open a popup with the page http://example2.com/popup1. Inside "popup1" is a javascript, window.opener.location.href = "http://example1.com/page2.html" that runs onload. In Firefox 3.5 and Internet Explorer 8 this will result in the opener (http://example1.com/page1.html) will be set to "http://example1.com/page2.html". On Safari 4 and Chrome 2 this returns a common error: "Unsafe JavaScript attempt to initiate a navigation change for frame with URL %s1 from frame with URL %s2." Safari 4 furthermore returns the error: "Unsafe JavaScript attempt to access frame with URL %s1 from frame with URL %s2. Domains, protocols and ports must match." %s1 = http://example1.com/page1.html %s2 = http://example2.com/popup1 I know that there have been a great amount of security enhancements lately, but is this supposed to be one of them? If it is supposed to, how is it possible to get around this restriction? Many payment companies use this method for webshops, at least in Denmark. You open a popup window with creditcard payment options (mastercard, visa and so forth) and when you have gone through the payment, the popup would close and redirect the user to a order confirmation on the webshop - this is a vital element. If the user is not redirected back to the webshop, the webshop system won't know that the order have gone through and the user will not be presented to a order confirmation, but the payment will have gone through. This results in a lot of users paying for things they don't get. I have tried to find a document describing if there's a workaround - where you could allow a certain website to make this redirect, but it have not been possible for me to find this. I've read that there is an "Access-Control-Allow-Origin" response header for cross domain requests, but after trying it out, it doesn't seem to have an effect. I have a very simple test-case here: http://msdesign.dk/oes/filer/_test.htm It will open a popup at the page http://www.swine.dk/spil/_test2.html?things=tadaa The popup tries to redirect the window.opener to http://msdesign.dk/oes/filer/_test2.htm In firefox 3.5 and Internet Explorer 8 it works, but not in Safari 4 or Chrome 2. I hope there is a solution to this. 129969 1 mrowe 2009-07-06 11:24:26 -0700 <rdar://problem/7034025> 149316 2 sam 2009-09-22 22:16:34 -0700 Adam, do you have any thoughts on allowing a popup to navigate its opener, even if they are of different origins? 149320 3 abarth 2009-09-22 23:09:29 -0700 It sounds like the opener restriction is preventing the navigation (because example2.com is not the opener of example1.com). In general, it's hard to state a threat model in which the opener restriction buys you much security. It seems fine to allow this case, especially if that makes us more compatible with Firefox 3.5. It seems similar to allowing frame-busting (just popups instead of iframes). 149550 4 40030 sam 2009-09-23 16:52:26 -0700 Created attachment 40030 patch 149616 5 40030 abarth 2009-09-23 18:42:14 -0700 Comment on attachment 40030 patch Precisely. 149619 6 sam 2009-09-23 18:57:23 -0700 Fixed in r48695. 40030 2009-09-23 16:52:26 -0700 2009-09-23 18:42:13 -0700 patch navigation.diff text/plain 5182 sam SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0ODY4NykKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTggQEAKKzIwMDktMDktMjMgIFNhbSBXZWluaWcgIDxzYW1Ad2Via2l0Lm9yZz4K KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGaXggZm9y IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNjk4OQorICAgICAgICBT aG91bGQgYWxsb3cgbmF2aWdhdGlvbiBvZiB0b3AtbGV2ZWwgb3BlbmVycworICAgICAgICA8cmRh cjovL3Byb2JsZW0vNzAzNDAyNT4KKworICAgICAgICBBbGxvdyBuYXZpZ2F0aW9uIG9mIGNyb3Nz LW9yaWdpbiB3aW5kb3cub3BlbmVyIGlmIGl0IGlzIHRvcC1sZXZlbCBmcmFtZS4KKworICAgICAg ICBUZXN0OiBodHRwL3Rlc3RzL3NlY3VyaXR5L2ZyYW1lTmF2aWdhdGlvbi9jcm9zcy1vcmlnaW4t b3BlbmVyLmh0bWwKKworICAgICAgICAqIGxvYWRlci9GcmFtZUxvYWRlci5jcHA6CisgICAgICAg IChXZWJDb3JlOjpGcmFtZUxvYWRlcjo6c2hvdWxkQWxsb3dOYXZpZ2F0aW9uKToKKwogMjAwOS0w OS0yMyAgRGFyaW4gQWRsZXIgIDxkYXJpbkBhcHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQg YnkgU2FtIFdlaW5pZy4KSW5kZXg6IFdlYkNvcmUvbG9hZGVyL0ZyYW1lTG9hZGVyLmNwcAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBXZWJDb3JlL2xvYWRlci9GcmFtZUxvYWRlci5jcHAJKHJldmlzaW9uIDQ4Njgz KQorKysgV2ViQ29yZS9sb2FkZXIvRnJhbWVMb2FkZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0y Njc1LDcgKzI2NzUsOCBAQCBib29sIEZyYW1lTG9hZGVyOjpzaG91bGRBbGxvd05hdmlnYXRpb24o CiAgICAgLy8KICAgICAvLyBPciB0aGUgdGFyZ2V0IGZyYW1lIGlzOgogICAgIC8vICAgLSBhIHRv cC1sZXZlbCBmcmFtZSBpbiB0aGUgZnJhbWUgaGllcmFyY2h5IGFuZCB0aGUgYWN0aXZlIGZyYW1l IGNhbgotICAgIC8vICAgICBuYXZpZ2F0ZSB0aGUgdGFyZ2V0IGZyYW1lJ3Mgb3BlbmVyIHBlciBh Ym92ZS4KKyAgICAvLyAgICAgbmF2aWdhdGUgdGhlIHRhcmdldCBmcmFtZSdzIG9wZW5lciBwZXIg YWJvdmUgb3IgaXQgaXMgdGhlIG9wZW5lciBvZgorICAgIC8vICAgICB0aGUgdGFyZ2V0IGZyYW1l LgogCiAgICAgaWYgKCF0YXJnZXRGcmFtZSkKICAgICAgICAgcmV0dXJuIHRydWU7CkBAIC0yNjkw LDYgKzI2OTEsMTAgQEAgYm9vbCBGcmFtZUxvYWRlcjo6c2hvdWxkQWxsb3dOYXZpZ2F0aW9uKAog ICAgIGlmICh0YXJnZXRGcmFtZSA9PSBtX2ZyYW1lLT50cmVlKCktPnRvcCgpKQogICAgICAgICBy ZXR1cm4gdHJ1ZTsKIAorICAgIC8vIExldCBhIGZyYW1lIG5hdmlnYXRlIGl0cyBvcGVuZXIgaWYg dGhlIG9wZW5lciBpcyBhIHRvcC1sZXZlbCB3aW5kb3cuCisgICAgaWYgKCF0YXJnZXRGcmFtZS0+ dHJlZSgpLT5wYXJlbnQoKSAmJiBtX2ZyYW1lLT5sb2FkZXIoKS0+b3BlbmVyKCkgPT0gdGFyZ2V0 RnJhbWUpCisgICAgICAgIHJldHVybiB0cnVlOworCiAgICAgRG9jdW1lbnQqIGFjdGl2ZURvY3Vt ZW50ID0gbV9mcmFtZS0+ZG9jdW1lbnQoKTsKICAgICBBU1NFUlQoYWN0aXZlRG9jdW1lbnQpOwog ICAgIGNvbnN0IFNlY3VyaXR5T3JpZ2luKiBhY3RpdmVTZWN1cml0eU9yaWdpbiA9IGFjdGl2ZURv Y3VtZW50LT5zZWN1cml0eU9yaWdpbigpOwpJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gNDg2ODcpCisrKyBM YXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxNiBAQAorMjAw OS0wOS0yMyAgU2FtIFdlaW5pZyAgPHNhbUB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRlc3QgZm9yIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNjk4OQorICAgICAgICBTaG91bGQgYWxsb3cgbmF2aWdh dGlvbiBvZiB0b3AtbGV2ZWwgb3BlbmVycworICAgICAgICA8cmRhcjovL3Byb2JsZW0vNzAzNDAy NT4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvZnJhbWVOYXZpZ2F0aW9uL2Nyb3Nz LW9yaWdpbi1vcGVuZXItZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3Rz L3NlY3VyaXR5L2ZyYW1lTmF2aWdhdGlvbi9jcm9zcy1vcmlnaW4tb3BlbmVyLmh0bWw6IEFkZGVk LgorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvZnJhbWVOYXZpZ2F0aW9uL3Jlc291cmNl cy9jcm9zcy1vcmlnaW4tb3BlbmVyLW9wZW5lci5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBodHRw L3Rlc3RzL3NlY3VyaXR5L2ZyYW1lTmF2aWdhdGlvbi9yZXNvdXJjZXMvbmF2aWdhdGUtb3BlbmVy Lmh0bWw6IEFkZGVkLgorCiAyMDA5LTA5LTIzICBEYW5pZWwgQmF0ZXMgIDxkYmF0ZXNAd2Via2l0 Lm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBZGFtIEJhcnRoLgpJbmRleDogTGF5b3V0VGVz dHMvaHR0cC90ZXN0cy9zZWN1cml0eS9mcmFtZU5hdmlnYXRpb24vY3Jvc3Mtb3JpZ2luLW9wZW5l ci1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1 cml0eS9mcmFtZU5hdmlnYXRpb24vY3Jvc3Mtb3JpZ2luLW9wZW5lci1leHBlY3RlZC50eHQJKHJl dmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2ZyYW1lTmF2aWdh dGlvbi9jcm9zcy1vcmlnaW4tb3BlbmVyLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAs MCArMSwyIEBACitQQVNTCisKSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkv ZnJhbWVOYXZpZ2F0aW9uL2Nyb3NzLW9yaWdpbi1vcGVuZXIuaHRtbAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBM YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2ZyYW1lTmF2aWdhdGlvbi9jcm9zcy1vcmln aW4tb3BlbmVyLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3Nl Y3VyaXR5L2ZyYW1lTmF2aWdhdGlvbi9jcm9zcy1vcmlnaW4tb3BlbmVyLmh0bWwJKHJldmlzaW9u IDApCkBAIC0wLDAgKzEsMzMgQEAKKzxodG1sPgorPGhlYWQ+Cis8c2NyaXB0PgoraWYgKHdpbmRv dy5sYXlvdXRUZXN0Q29udHJvbGxlcikgeworICAgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBB c1RleHQoKTsKKyAgICBsYXlvdXRUZXN0Q29udHJvbGxlci53YWl0VW50aWxEb25lKCk7CisgICAg bGF5b3V0VGVzdENvbnRyb2xsZXIuc2V0Q2FuT3BlbldpbmRvd3MoKTsKK30KKworZnVuY3Rpb24g bG9nKG1zZykKK3sKKyAgICBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgiY29uc29sZSIpLmFwcGVu ZENoaWxkKGRvY3VtZW50LmNyZWF0ZVRleHROb2RlKG1zZyArICJcbiIpKTsKK30KKword2luZG93 LmFkZEV2ZW50TGlzdGVuZXIoIm1lc3NhZ2UiLCBmdW5jdGlvbihlKSB7CisgICAgaWYgKGUuZGF0 YSA9PSAicGFzcyIpIHsKKyAgICAgICAgbG9nKCJQQVNTIik7CisgICAgICAgIGlmICh3aW5kb3cu bGF5b3V0VGVzdENvbnRyb2xsZXIpCisgICAgICAgICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5u b3RpZnlEb25lKCk7CisgICAgfQorfSwgZmFsc2UpOworCit3aW5kb3cub25sb2FkID0gZnVuY3Rp b24oKSB7CisgICAgd2luID0gd2luZG93Lm9wZW4oInJlc291cmNlcy9jcm9zcy1vcmlnaW4tb3Bl bmVyLW9wZW5lci5odG1sIik7Cit9CisKKzwvc2NyaXB0PgorPC9oZWFkPgorPGJvZHk+Cis8cHJl IGlkPSJjb25zb2xlIj48L3ByZT4KKzwvYm9keT4KKzwvaHRtbD4KKwpJbmRleDogTGF5b3V0VGVz dHMvaHR0cC90ZXN0cy9zZWN1cml0eS9mcmFtZU5hdmlnYXRpb24vcmVzb3VyY2VzL2Nyb3NzLW9y aWdpbi1vcGVuZXItb3BlbmVyLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90 ZXN0cy9zZWN1cml0eS9mcmFtZU5hdmlnYXRpb24vcmVzb3VyY2VzL2Nyb3NzLW9yaWdpbi1vcGVu ZXItb3BlbmVyLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3Nl Y3VyaXR5L2ZyYW1lTmF2aWdhdGlvbi9yZXNvdXJjZXMvY3Jvc3Mtb3JpZ2luLW9wZW5lci1vcGVu ZXIuaHRtbAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSw0IEBACis8c2NyaXB0PgorICAgIHZhciB3 aW4gPSB3aW5kb3cub3BlbigiaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L2ZyYW1lTmF2 aWdhdGlvbi9yZXNvdXJjZXMvbmF2aWdhdGUtb3BlbmVyLmh0bWwiKTsKKzwvc2NyaXB0PgorSGVs cGVyIHdpbmRvdy4gV2lsbCBiZSBuYXZpZ2F0ZWQgYnkgdGhlIHdpbmRvdyBpdCBpcyBvcGVuaW5n LgpJbmRleDogTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9mcmFtZU5hdmlnYXRpb24v cmVzb3VyY2VzL25hdmlnYXRlLW9wZW5lci5odG1sCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3Rz L2h0dHAvdGVzdHMvc2VjdXJpdHkvZnJhbWVOYXZpZ2F0aW9uL3Jlc291cmNlcy9uYXZpZ2F0ZS1v cGVuZXIuaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkvZnJhbWVOYXZpZ2F0aW9uL3Jlc291cmNlcy9uYXZpZ2F0ZS1vcGVuZXIuaHRtbAkocmV2aXNp b24gMCkKQEAgLTAsMCArMSw0IEBACis8c2NyaXB0Pgorb3BlbmVyLmxvY2F0aW9uID0gInBhc3Mu aHRtbCI7Cis8L3NjcmlwdD4KK05hdmlnYXRlcyBvcGVuZXIgdG8gInBhc3MuaHRtbCIuCg==