Summary: | chromium: we log the parent and child origins to the javascript console when there is a cross-origin violation | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Dirk Pranke <dpranke> | ||||||
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | RESOLVED WONTFIX | ||||||||
Severity: | Normal | CC: | abarth, jschuh, mani.subodh, tsepez | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Dirk Pranke
2011-08-25 16:21:43 PDT
Created attachment 105273 [details]
calling frame's html for the test case.
Created attachment 105274 [details]
called iframe's html
It would be a problem if the web site can intercept the message. As far as I know, there is no way to intercept the message and no way to extract the text from the Console, so this seems harmless and in fact useful. Closing this as WONTFIX for now; someone can reopen if there is disagreement. Hey Dirk, I spoke to you about this bug at Stanford. I did try to attack this myself and couldnt get a way to get the error message from the console in javascript. I guess I'll have to find an attack to warrant fixing this bug? I definitely don't consider this behavior a bug. A web site being able to to read the console output back would be a security issue (which we would fix if identified); however, the error logging is by design, and very helpful in tracking down origin issues. |