Bug 66996

Summary: chromium: we log the parent and child origins to the javascript console when there is a cross-origin violation
Product: WebKit Reporter: Dirk Pranke <dpranke>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: abarth, jschuh, mani.subodh, tsepez
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
calling frame's html for the test case.
none
called iframe's html none

Description Dirk Pranke 2011-08-25 16:21:43 PDT
A month or so ago when I was at a workshop at Stanford, someone reported to me that Chrome/Chromium (unlike all other web browsers) will actually log both the parent and child URLs when we have a cross-origin violation, e.g.:

Unsafe JavaScript attempt to access frame with URL http://127.0.0.1/~dpranke/tests/origin_console/iframe.html from frame with URL http://localhost/tests/origin_console/test.html. Domains, protocols and ports must match.

He was wondering if this might cause some sort of information leakage or be useful in some sort of an attack. I couldn't think of anything, but I thought I would file it here just so someone else can weigh in on it. Possibly we should change our behavior to not log the URLs at all and match the other browsers?
Comment 1 Dirk Pranke 2011-08-25 16:23:09 PDT
Created attachment 105273 [details]
calling frame's html for the test case.
Comment 2 Dirk Pranke 2011-08-25 16:23:26 PDT
Created attachment 105274 [details]
called iframe's html
Comment 3 Adam Barth 2011-08-25 17:02:19 PDT
It would be a problem if the web site can intercept the message.
Comment 4 Dirk Pranke 2011-08-25 17:10:22 PDT
As far as I know, there is no way to intercept the message and no way to extract the text from the Console, so this seems harmless and in fact useful. 

Closing this as WONTFIX for now; someone can reopen if there is disagreement.
Comment 5 Subodh Iyengar 2011-08-25 22:55:23 PDT
Hey Dirk, I spoke to you about this bug at Stanford. 
I did try to attack this myself and couldnt get a way to get the error message from the console in javascript. I guess I'll have to find an attack to warrant fixing this bug?
Comment 6 Justin Schuh 2011-08-25 23:35:19 PDT
I definitely don't consider this behavior a bug. A web site being able to to read the console output back would be a security issue (which we would fix if identified); however, the error logging is by design, and very helpful in tracking down origin issues.