Bug 14692 - Cross frame scripting allowed by Webkit in layout test
Summary: Cross frame scripting allowed by Webkit in layout test
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 523.x (Safari 3)
Hardware: PC Windows XP
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-20 10:55 PDT by Sridhar Gurivireddy
Modified: 2007-08-29 14:20 PDT (History)
2 users (show)

See Also:


Attachments
XSS Cookie demo (452 bytes, text/html)
2007-08-06 21:32 PDT, Sridhar Gurivireddy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sridhar Gurivireddy 2007-07-20 10:55:35 PDT
The layout test exposes that webkit allows cross-frame scripting fast\events\keypress-focus-change.html

Other browsers on windows do not allow this, probably for security reasons.
Comment 1 David Kilzer (:ddkilzer) 2007-07-21 07:46:54 PDT
Please note that the layoutTestController and eventSender objects used in the test case are only available through the DumpRenderTree testing harness.

When the test is loaded in the browser via file:/// URL, you must perform the test manually by clicking in the lower-left text field, then typing at least two characters.  The first character should appear in the text field you clicked in, then subsequent text should appear in the text field within the iframe.

This works in Firefox 2.0.0.4 (no errors) and ToT WebKit.  This does not work in Opera 9.21, though.

I don't believe being able to set focus to an element in a child iframe from the parent page is considered a security issue.

Comment 2 Sridhar Gurivireddy 2007-08-06 21:32:31 PDT
Created attachment 15854 [details]
XSS Cookie demo

Please find an example of HTML to read cookie of google.com. This HTML can be on any domain.
Comment 3 David Kilzer (:ddkilzer) 2007-08-09 06:51:25 PDT
(In reply to comment #2)
> Created an attachment (id=15854) [edit]
> XSS Cookie demo
> 
> Please find an example of HTML to read cookie of google.com. This HTML can be
> on any domain.

Using this demo, I get three errors (as expected?) using both Safari 2.0.4 (419.3) and Safari 3 Public Beta v. 3.0.3 (522.12.1) on Mac OS X 10.4.10 (8R218):

Unsafe JavaScript attempt to access frame with URL http://bugs.webkit.org/attachment.cgi?id=15854&action=view from frame with URL http://www.yahoo.com/. Domains must match.
Unsafe JavaScript attempt to access frame with URL http://www.yahoo.com/ from frame with URL http://bugs.webkit.org/attachment.cgi?id=15854&action=view. Domains must match.
[6346] http://bugs.webkit.org/attachment.cgi?id=15854&action=view:TypeError - Undefined value
Unsafe JavaScript attempt to access frame with URL http://bugs.webkit.org/attachment.cgi?id=15854&action=view from frame with URL http://www.yahoo.com/. Domains must match.

I get the same errors when the xss_cookie.html file is saved locally and opened.