Bug 38151

Summary: drop support for sessionStorage in sandbox iframes
Product: WebKit Reporter: eduardo <evn>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, commit-queue, dglazkov, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Patch
none
Patch none

eduardo
Reported 2010-04-26 17:20:37 PDT
From: https://bugs.webkit.org/show_bug.cgi?id=32369#c3 I think sessionStorage should be disabled in sandboxed iframes. sandboxed.html: <script>sessionStorage.x='busted';</script> sandboxer.html: <script>setInterval(function(){document.title=sessionStorage.x},500);</script><iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>
Attachments
Patch (7.55 KB, patch)
2010-05-05 14:29 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (9.24 KB, patch)
2010-05-05 16:19 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
eduardo
Comment 1 2010-04-26 17:21:45 PDT
the previous code will set document.title to "busted", if the page is saving sensitive information in there, then it may introduce security problems.
Adam Barth
Comment 2 2010-05-05 13:47:15 PDT
According to http://dev.w3.org/html5/webstorage/#the-sessionstorage-attribute, we should have one per origin.
eduardo
Comment 3 2010-05-05 13:58:18 PDT
a sandboxed iframe is considered to have the same origin, or a new "unique" origin? from http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html "When the attribute is set, the content is treated as being from a unique origin"
Adam Barth
Comment 4 2010-05-05 14:04:35 PDT
We're interested in the case where it has a unique origin. The "correct" behavior is probably to create a new storage area for the unique origin. I'm working up a patch that throws a security exception because that matches what we're doing for localStorage.
eduardo
Comment 5 2010-05-05 14:08:41 PDT
is it useful to have sessionStorage on a window that has a unique origin every time is created?
eduardo
Comment 6 2010-05-05 14:10:09 PDT
oh nvm, I just read your comment. a sec error is cool
Adam Barth
Comment 7 2010-05-05 14:13:29 PDT
Here's the patch that turned this on: http://trac.webkit.org/changeset/56002
Adam Barth
Comment 8 2010-05-05 14:29:03 PDT
Created attachment 55155 [details] Patch
WebKit Review Bot
Comment 9 2010-05-05 15:52:28 PDT
Attachment 55155 [details] did not build on chromium: Build output: http://webkit-commit-queue.appspot.com/results/2223001
Adam Barth
Comment 10 2010-05-05 16:19:30 PDT
Created attachment 55170 [details] Patch
Eric Seidel (no email)
Comment 11 2010-05-05 22:28:14 PDT
Comment on attachment 55170 [details] Patch WebCore/storage/StorageEventDispatcher.cpp:60 + if (!ec) Could/should this be an early return instead of further indent to the line-that-never-wrapped? WebCore/storage/StorageEventDispatcher.cpp:61 + frames[i]->document()->enqueueEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage)); I'm rather anti-wrap, but I think even I might have used a local variable here. WebKit/chromium/src/StorageAreaProxy.cpp:130 + Storage* storage = frames[i]->domWindow()->sessionStorage(ec); Why not just check storage != NULL? Seems OK, even if the EC handling is slightly inelegant.
Eric Seidel (no email)
Comment 12 2010-05-05 22:28:39 PDT
Comment on attachment 55170 [details] Patch Adam should see my comments first.
Adam Barth
Comment 13 2010-05-05 23:44:01 PDT
Comment on attachment 55170 [details] Patch I think its ok for now. I copied the style from localStorage below. If we want to change it, we should change both at once.
WebKit Commit Bot
Comment 14 2010-05-06 02:20:09 PDT
Comment on attachment 55170 [details] Patch Clearing flags on attachment: 55170 Committed r58873: <http://trac.webkit.org/changeset/58873>
WebKit Commit Bot
Comment 15 2010-05-06 02:20:16 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.