Bug 16968
| Summary: | Security violations in Acid3 test | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Eric Seidel (no email) <eric> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | abarth, collinj, gavin.sharp, ian, jruderman, jwalden+bwo, mjs, sam, webkit |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac | ||
| OS: | OS X 10.4 | ||
| URL: | http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html | ||
Eric Seidel (no email)
Security violations in Acid3 test
I expect that these are calls to object.contentDocument. I'm not certain. I'm also not sure if this behavior is correct or not.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Sam Weinig
I don't think this is usage of data: URLs is appropriate for the Acid3 test as there is no specification that I know of (in the time frame allowed for Acid3 or after) that defines the behavior of access to data: URLs from JS. Following a strict understanding of the same-origin policy, the behavior should not be allowed as the protocols (or scheme if that is how you roll) differ.
Hixie, if you agree, the issue can be mitigated by using a file on the same domain.
Jesse Ruderman
Duplicate of bug 11885?
Jesse Ruderman
You guys might be interested in https://bugzilla.mozilla.org/show_bug.cgi?id=255107, a Mozilla bug report titled "Prevent data: URLs from being used for XSS".
Eric Seidel (no email)
Acid3 has changed the test. So I think we can close this and leave bug 11885 to handle any desired changes to data: url handling.