Bug 16387 - Variable names can be enumerated across domains
Summary: Variable names can be enumerated across domains
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://mapseekret.com/staticmedia/doc...
Keywords: HasReduction, InRadar
Depends on:
Reported: 2007-12-10 14:15 PST by Henry Mason
Modified: 2007-12-30 23:02 PST (History)
3 users (show)

See Also:

patch (6.19 KB, patch)
2007-12-30 22:54 PST, Sam Weinig
oliver: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Henry Mason 2007-12-10 14:15:27 PST
WebKit currently allows for enumeration of all the property names in window object via a JavaScript "for .. in " loop, even when the window object is from a foreign domain. This could cause a security problem if a JavaScript author made the mistake of storing a password in a variable name or something.

I've posted a demonstration of this problem to this bug's URL. Document B sets a global variable named "superSecretThing", document A embeds document B in an iframe, and is able to see the secret variable name from a foreign domain.
Comment 1 Mark Rowe (bdash) 2007-12-10 20:20:23 PST
Comment 2 Ian 'Hixie' Hickson 2007-12-30 21:19:26 PST
This can, e.g., leak whether a user is logged in on another domain, if that domain initialises variables after the user logs in.
Comment 3 Sam Weinig 2007-12-30 22:54:29 PST
Created attachment 18204 [details]
Comment 4 Sam Weinig 2007-12-30 23:02:28 PST
Landed in r29044.