Bug 20642

Summary: Adopt opener restriction for top-level frame navigation
Product: WebKit Reporter: Adam Barth <abarth>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, collinj, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://blogs.msdn.com/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
Attachments:
Description Flags
patch sam: review+

Adam Barth
Reported 2008-09-04 02:20:11 PDT
Both IE 8 beta 2 and Firefox 3 now support the "opener restriction" for navigation of top-level frames. We discussed this a number of months ago when we did the initial frame navigation work, but opted not to implement the restriction. Here is what it does: Suppose window X opens window Y via window.open(...). If window Z tries to navigate Y, the navigation will be blocked if Z is not the same origin as X (the opener of Y). I'm not convinced the opener restriction actually prevents any real attacks, but it's probably worth matching the behavior of other browsers. (Opera has a very complex policy for top-level windows, for example caring if a window is showing an HTTPS page or not). For some older context, see http://crypto.stanford.edu/websec/frames/navigation/
Attachments
patch (12.48 KB, patch)
2008-09-06 20:41 PDT, Adam Barth 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Sam Weinig
Comment 1 2008-09-04 12:59:43 PDT
I think this would be okay. Does HTML5 define this behavior. If not, we should suggest Ian change it to match.
Adam Barth
Comment 2 2008-09-04 16:28:56 PDT
HTML 5 does spec the opener restriction, but the spec is subtly different from what Firefox implements. Firefox only computes one level of recursion of "can navigate the opener," whereas a literal reading of the spec seems to suggest unbounded recursion.
Adam Barth
Comment 3 2008-09-06 20:41:26 PDT
Created attachment 23224 [details] patch
Sam Weinig
Comment 4 2008-09-07 12:54:54 PDT
Comment on attachment 23224 [details] patch Looks good. I would give a bit more of an explanation of the opener restriction is in the changlog as well as why we are adopting it (to match other browsers). + // Allow frame-busting. This comment might be confusing to those not familiar with the term "frame-busting".
Adam Barth
Comment 5 2008-09-08 00:24:47 PDT
Fixed in r36262.
Note You need to log in before you can comment on or make changes to this bug.