Bug 66996

Summary:

chromium: we log the parent and child origins to the javascript console when there is a cross-origin violation

Product:

WebKit

Reporter:

Dirk Pranke <dpranke>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WONTFIX

Severity:

Normal

CC:

abarth, jschuh, mani.subodh, tsepez

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
calling frame's html for the test case.	none
called iframe's html	none

Dirk Pranke

Reported 2011-08-25 16:21:43 PDT

A month or so ago when I was at a workshop at Stanford, someone reported to me that Chrome/Chromium (unlike all other web browsers) will actually log both the parent and child URLs when we have a cross-origin violation, e.g.: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1/~dpranke/tests/origin_console/iframe.html from frame with URL http://localhost/tests/origin_console/test.html. Domains, protocols and ports must match. He was wondering if this might cause some sort of information leakage or be useful in some sort of an attack. I couldn't think of anything, but I thought I would file it here just so someone else can weigh in on it. Possibly we should change our behavior to not log the URLs at all and match the other browsers?

Attachments
calling frame's html for the test case. (334 bytes, text/html) 2011-08-25 16:23 PDT, Dirk Pranke	no flags	Details
called iframe's html (59 bytes, text/html) 2011-08-25 16:23 PDT, Dirk Pranke	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Dirk Pranke

Comment 1 2011-08-25 16:23:09 PDT

Created attachment 105273 [details] calling frame's html for the test case.

Dirk Pranke

Comment 2 2011-08-25 16:23:26 PDT

Created attachment 105274 [details] called iframe's html

Adam Barth

Comment 3 2011-08-25 17:02:19 PDT

It would be a problem if the web site can intercept the message.

Dirk Pranke

Comment 4 2011-08-25 17:10:22 PDT

As far as I know, there is no way to intercept the message and no way to extract the text from the Console, so this seems harmless and in fact useful. Closing this as WONTFIX for now; someone can reopen if there is disagreement.

Subodh Iyengar

Comment 5 2011-08-25 22:55:23 PDT

Hey Dirk, I spoke to you about this bug at Stanford. I did try to attack this myself and couldnt get a way to get the error message from the console in javascript. I guess I'll have to find an attack to warrant fixing this bug?

Justin Schuh

Comment 6 2011-08-25 23:35:19 PDT

I definitely don't consider this behavior a bug. A web site being able to to read the console output back would be a security issue (which we would fix if identified); however, the error logging is by design, and very helpful in tracking down origin issues.

Note You need to log in before you can comment on or make changes to this bug.