62054 2011-06-03 14:33:38 -0700 Disconnect DOMWindow from Frame on navigation 2022-06-22 17:09:32 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 69949 P2 Normal --- 1 webkit.review.bot abarth abarth ap deshnawysameh eric sam oldest_to_newest 415204 0 webkit.review.bot 2011-06-03 14:33:38 -0700 Disconnect DOMWindow from Frame on navigation Requested by abarth on #webkit. 415587 1 abarth 2011-06-04 23:41:03 -0700 I looked at this a bit. It's somewhat subtle. 415664 2 sam 2011-06-05 17:23:03 -0700 Adam, can you explain more about this, for instance the motivation and observable effects. 415666 3 abarth 2011-06-05 17:27:24 -0700 > Adam, can you explain more about this, for instance the motivation and observable effects. The effects shouldn't be observable. It's a mitigation for UXSS vulnerabilities. Today the DOMWindow keeps a pointer to the Frame after navigation, which means folks can get confused when they're doing security checks related to DOMWindow because they might check domWindow->securityOrigin() or domWindow->document() and then operate on domWindow->frame(). In that scenario, they'll operate on a document whose security origin they haven't checked. We've seen at least on example of this recently. 415667 4 sam 2011-06-05 17:30:21 -0700 (In reply to comment #3) > > Adam, can you explain more about this, for instance the motivation and observable effects. > > The effects shouldn't be observable. It's a mitigation for UXSS vulnerabilities. Today the DOMWindow keeps a pointer to the Frame after navigation, which means folks can get confused when they're doing security checks related to DOMWindow because they might check domWindow->securityOrigin() or domWindow->document() and then operate on domWindow->frame(). In that scenario, they'll operate on a document whose security origin they haven't checked. We've seen at least on example of this recently. I see. What would the plan for reconnecting it be (for the case of the back/forward cache I guess)? 415669 5 abarth 2011-06-05 17:54:13 -0700 > I see. What would the plan for reconnecting it be (for the case of the back/forward cache I guess)? I haven't studied that aspect of the problem yet, but it's just a pointer. We can set it to be non-null again. 415684 6 sam 2011-06-05 20:29:50 -0700 (In reply to comment #5) > > I see. What would the plan for reconnecting it be (for the case of the back/forward cache I guess)? > > I haven't studied that aspect of the problem yet, but it's just a pointer. We can set it to be non-null again. Such witchcraft would never be permitted. 415924 7 96104 abarth 2011-06-06 11:46:04 -0700 Created attachment 96104 Hacks, lies, and work-in-progress 482597 8 abarth 2011-10-12 12:15:51 -0700 *** This bug has been marked as a duplicate of bug 69949 *** 96104 2011-06-06 11:46:04 -0700 2011-06-06 11:46:04 -0700 Hacks, lies, and work-in-progress bug-62054-20110606114603.patch text/plain 5069 abarth SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDg4MTc1KQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjUgQEAKKzIwMTEtMDYtMDYgIEFkYW0gQmFy dGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBEaXNjb25uZWN0IERPTVdpbmRvdyBmcm9tIEZyYW1lIG9uIG5hdmln YXRpb24KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTYy MDU0CisKKyAgICAgICAgTm8gbmV3IHRlc3RzLiAoT09QUyEpCisKKyAgICAgICAgKiBiaW5kaW5n cy9qcy9KU0RPTVdpbmRvd0Jhc2UuY3BwOgorICAgICAgICAoV2ViQ29yZTo6SlNET01XaW5kb3dC YXNlOjp1cGRhdGVEb2N1bWVudCk6CisgICAgICAgICogYmluZGluZ3MvanMvSlNET01XaW5kb3dC YXNlLmg6CisgICAgICAgICogYmluZGluZ3MvanMvU2NyaXB0Q29udHJvbGxlci5jcHA6CisgICAg ICAgIChXZWJDb3JlOjpTY3JpcHRDb250cm9sbGVyOjppbml0U2NyaXB0KToKKyAgICAgICAgKFdl YkNvcmU6OlNjcmlwdENvbnRyb2xsZXI6OnVwZGF0ZURvY3VtZW50KToKKyAgICAgICAgKiBkb20v RG9jdW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RG9jdW1lbnQ6OmRldGFjaCk6CisgICAg ICAgICogcGFnZS9ET01XaW5kb3cuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RE9NV2luZG93Ojpk aXNjb25uZWN0RnJhbWUpOgorICAgICAgICAqIHBhZ2UvRnJhbWUuY3BwOgorICAgICAgICAoV2Vi Q29yZTo6RnJhbWU6OmNsZWFyRE9NV2luZG93KToKKwogMjAxMS0wNi0wNiAgWWFlbCBBaGFyb24g IDx5YWVsLmFoYXJvbkBub2tpYS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRXJpYyBTZWlk ZWwuCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9qcy9KU0RPTVdpbmRvd0Jhc2UuY3Bw Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2JpbmRpbmdzL2pzL0pTRE9NV2luZG93QmFz ZS5jcHAJKHJldmlzaW9uIDg4MTc0KQorKysgU291cmNlL1dlYkNvcmUvYmluZGluZ3MvanMvSlNE T01XaW5kb3dCYXNlLmNwcAkod29ya2luZyBjb3B5KQpAQCAtNTgsMTEgKzU4LDEwIEBAIEpTRE9N V2luZG93QmFzZTo6SlNET01XaW5kb3dCYXNlKEpTR2xvYmEKICAgICBhZGRTdGF0aWNHbG9iYWxz KHN0YXRpY0dsb2JhbHMsIFdURl9BUlJBWV9MRU5HVEgoc3RhdGljR2xvYmFscykpOwogfQogCi12 b2lkIEpTRE9NV2luZG93QmFzZTo6dXBkYXRlRG9jdW1lbnQoKQordm9pZCBKU0RPTVdpbmRvd0Jh c2U6OnVwZGF0ZURvY3VtZW50KERvY3VtZW50KiBkb2N1bWVudCkKIHsKLSAgICBBU1NFUlQobV9p bXBsLT5kb2N1bWVudCgpKTsKICAgICBFeGVjU3RhdGUqIGV4ZWMgPSBnbG9iYWxFeGVjKCk7Ci0g ICAgc3ltYm9sVGFibGVQdXRXaXRoQXR0cmlidXRlcyhleGVjLT5nbG9iYWxEYXRhKCksIElkZW50 aWZpZXIoZXhlYywgImRvY3VtZW50IiksIHRvSlMoZXhlYywgdGhpcywgbV9pbXBsLT5kb2N1bWVu dCgpKSwgRG9udERlbGV0ZSB8IFJlYWRPbmx5KTsKKyAgICBzeW1ib2xUYWJsZVB1dFdpdGhBdHRy aWJ1dGVzKGV4ZWMtPmdsb2JhbERhdGEoKSwgSWRlbnRpZmllcihleGVjLCAiZG9jdW1lbnQiKSwg dG9KUyhleGVjLCB0aGlzLCBkb2N1bWVudCksIERvbnREZWxldGUgfCBSZWFkT25seSk7CiB9CiAK IFNjcmlwdEV4ZWN1dGlvbkNvbnRleHQqIEpTRE9NV2luZG93QmFzZTo6c2NyaXB0RXhlY3V0aW9u Q29udGV4dCgpIGNvbnN0CkluZGV4OiBTb3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9qcy9KU0RPTVdp bmRvd0Jhc2UuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9qcy9KU0RP TVdpbmRvd0Jhc2UuaAkocmV2aXNpb24gODgxNzQpCisrKyBTb3VyY2UvV2ViQ29yZS9iaW5kaW5n cy9qcy9KU0RPTVdpbmRvd0Jhc2UuaAkod29ya2luZyBjb3B5KQpAQCAtMjcsNiArMjcsNyBAQAog bmFtZXNwYWNlIFdlYkNvcmUgewogCiAgICAgY2xhc3MgRE9NV2luZG93OworICAgIGNsYXNzIERv Y3VtZW50OwogICAgIGNsYXNzIEZyYW1lOwogICAgIGNsYXNzIERPTVdyYXBwZXJXb3JsZDsKICAg ICBjbGFzcyBKU0RPTVdpbmRvdzsKQEAgLTQwLDcgKzQxLDcgQEAgbmFtZXNwYWNlIFdlYkNvcmUg ewogICAgICAgICBKU0RPTVdpbmRvd0Jhc2UoSlNDOjpKU0dsb2JhbERhdGEmLCBKU0M6OlN0cnVj dHVyZSosIFBhc3NSZWZQdHI8RE9NV2luZG93PiwgSlNET01XaW5kb3dTaGVsbCopOwogCiAgICAg cHVibGljOgotICAgICAgICB2b2lkIHVwZGF0ZURvY3VtZW50KCk7CisgICAgICAgIHZvaWQgdXBk YXRlRG9jdW1lbnQoRG9jdW1lbnQqKTsKIAogICAgICAgICBET01XaW5kb3cqIGltcGwoKSBjb25z dCB7IHJldHVybiBtX2ltcGwuZ2V0KCk7IH0KICAgICAgICAgdmlydHVhbCBTY3JpcHRFeGVjdXRp b25Db250ZXh0KiBzY3JpcHRFeGVjdXRpb25Db250ZXh0KCkgY29uc3Q7CkluZGV4OiBTb3VyY2Uv V2ViQ29yZS9iaW5kaW5ncy9qcy9TY3JpcHRDb250cm9sbGVyLmNwcAo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBT b3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9qcy9TY3JpcHRDb250cm9sbGVyLmNwcAkocmV2aXNpb24g ODgxNzQpCisrKyBTb3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9qcy9TY3JpcHRDb250cm9sbGVyLmNw cAkod29ya2luZyBjb3B5KQpAQCAtMjE3LDcgKzIxNyw3IEBAIEpTRE9NV2luZG93U2hlbGwqIFNj cmlwdENvbnRyb2xsZXI6OmluaXQKIAogICAgIEpTRE9NV2luZG93U2hlbGwqIHdpbmRvd1NoZWxs ID0gY3JlYXRlV2luZG93U2hlbGwod29ybGQpOwogCi0gICAgd2luZG93U2hlbGwtPndpbmRvdygp LT51cGRhdGVEb2N1bWVudCgpOworICAgIHdpbmRvd1NoZWxsLT53aW5kb3coKS0+dXBkYXRlRG9j dW1lbnQobV9mcmFtZS0+ZG9jdW1lbnQoKSk7CiAKICAgICBpZiAoUGFnZSogcGFnZSA9IG1fZnJh bWUtPnBhZ2UoKSkgewogICAgICAgICBhdHRhY2hEZWJ1Z2dlcih3aW5kb3dTaGVsbCwgcGFnZS0+ ZGVidWdnZXIoKSk7CkBAIC0zNDYsNyArMzQ2LDcgQEAgdm9pZCBTY3JpcHRDb250cm9sbGVyOjp1 cGRhdGVEb2N1bWVudCgpCiAKICAgICBKU0xvY2sgbG9jayhTaWxlbmNlQXNzZXJ0aW9uc09ubHkp OwogICAgIGZvciAoU2hlbGxNYXA6Oml0ZXJhdG9yIGl0ZXIgPSBtX3dpbmRvd1NoZWxscy5iZWdp bigpOyBpdGVyICE9IG1fd2luZG93U2hlbGxzLmVuZCgpOyArK2l0ZXIpCi0gICAgICAgIGl0ZXIt PnNlY29uZC0+d2luZG93KCktPnVwZGF0ZURvY3VtZW50KCk7CisgICAgICAgIGl0ZXItPnNlY29u ZC0+d2luZG93KCktPnVwZGF0ZURvY3VtZW50KG1fZnJhbWUtPmRvY3VtZW50KCkpOwogfQogCiB2 b2lkIFNjcmlwdENvbnRyb2xsZXI6OnVwZGF0ZVNlY3VyaXR5T3JpZ2luKCkKSW5kZXg6IFNvdXJj ZS9XZWJDb3JlL2RvbS9Eb2N1bWVudC5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUv ZG9tL0RvY3VtZW50LmNwcAkocmV2aXNpb24gODgxNzQpCisrKyBTb3VyY2UvV2ViQ29yZS9kb20v RG9jdW1lbnQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xODI2LDcgKzE4MjYsNyBAQCB2b2lkIERv Y3VtZW50OjpkZXRhY2goKQogCiAgICAgaWYgKHJlbmRlcikKICAgICAgICAgcmVuZGVyLT5kZXN0 cm95KCk7Ci0gICAgCisKICAgICAvLyBUaGlzIGlzIHJlcXVpcmVkLCBhcyBvdXIgRnJhbWUgbWln aHQgZGVsZXRlIGl0c2VsZiBhcyBzb29uIGFzIGl0IGRldGFjaGVzCiAgICAgLy8gdXMuIEhvd2V2 ZXIsIHRoaXMgdmlvbGF0ZXMgTm9kZTo6ZGV0YWNoKCkgc2VtYW50aWNzLCBhcyBpdCdzIG5ldmVy CiAgICAgLy8gcG9zc2libGUgdG8gcmUtYXR0YWNoLiBFdmVudHVhbGx5IERvY3VtZW50OjpkZXRh Y2goKSBzaG91bGQgYmUgcmVuYW1lZCwKSW5kZXg6IFNvdXJjZS9XZWJDb3JlL3BhZ2UvRE9NV2lu ZG93LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9wYWdlL0RPTVdpbmRvdy5jcHAJ KHJldmlzaW9uIDg4MTc0KQorKysgU291cmNlL1dlYkNvcmUvcGFnZS9ET01XaW5kb3cuY3BwCSh3 b3JraW5nIGNvcHkpCkBAIC00MjUsNiArNDI1LDggQEAgdm9pZCBET01XaW5kb3c6OnNldFNlY3Vy aXR5T3JpZ2luKFNlY3VyaQogCiB2b2lkIERPTVdpbmRvdzo6ZGlzY29ubmVjdEZyYW1lKCkKIHsK KyAgICBpZiAoIW1fZnJhbWUpCisgICAgICAgIHJldHVybjsKICAgICBtX2ZyYW1lID0gMDsKICAg ICBjbGVhcigpOwogfQpJbmRleDogU291cmNlL1dlYkNvcmUvcGFnZS9GcmFtZS5jcHAKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL1dlYkNvcmUvcGFnZS9GcmFtZS5jcHAJKHJldmlzaW9uIDg4MTc0KQor KysgU291cmNlL1dlYkNvcmUvcGFnZS9GcmFtZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTY1MCw3 ICs2NTAsNyBAQCB2b2lkIEZyYW1lOjpjbGVhckRPTVdpbmRvdygpCiB7CiAgICAgaWYgKG1fZG9t V2luZG93KSB7CiAgICAgICAgIG1fbGl2ZUZvcm1lcldpbmRvd3MuYWRkKG1fZG9tV2luZG93Lmdl dCgpKTsKLSAgICAgICAgbV9kb21XaW5kb3ctPmNsZWFyKCk7CisgICAgICAgIG1fZG9tV2luZG93 LT5kaXNjb25uZWN0RnJhbWUoKTsKICAgICB9CiAgICAgbV9kb21XaW5kb3cgPSAwOwogfQo=