Bug 16968 - Security violations in Acid3 test
Summary: Security violations in Acid3 test
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Macintosh OS X 10.4
: P2 Normal
Assignee: Nobody
URL: http://www.hixie.ch/tests/evil/acid/0...
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-21 23:13 PST by Eric Seidel (no email)
Modified: 2008-01-29 00:17 PST (History)
9 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2008-01-21 23:13:52 PST
Security violations in Acid3 test

I expect that these are calls to object.contentDocument.  I'm not certain.  I'm also not sure if this behavior is correct or not.

Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Unsafe JavaScript attempt to access frame with URL data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB3aWR0aD0iMTAwIiBoZWlnaHQ9IjEwMCI%2BPGRlZnM%2BPGZvbnQtZmFjZSBmb250LWZhbWlseT0iQUNJRDNzdmdmb250Ij48Zm9udC1mYWNlLXNyYz48Zm9udC1mYWNlLXVyaSB4bGluazpocmVmPSJkYXRhOmltYWdlL3N2Zyt4bWw7YmFzZTY0LFBITjJaeUI0Yld4dWN6MGlhSFIwY0RvdkwzZDNkeTUzTXk1dmNtY3ZNakF3TUM5emRtY2lJSGh0Ykc1ek9uaHNhVzVyUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4eE9UazVMM2hzYVc1cklqNDhaR1ZtY3o0OFptOXVkQ0JvYjNKcGVpMWhaSFl0ZUQwaU5UQXdJaUJwWkQwaWJXbHVhU0klMkJQR1p2Ym5RdFptRmpaU0JtYjI1MExXWmhiV2xzZVQwaVFVTkpSRE56ZG1kbWIyNTBJaUIxYm1sMGN5MXdaWEl0WlcwOUlqUXdNREFpSUdGelkyVnVkRDBpT0RBd0lpQmtaWE5qWlc1MFBTSXRNakF3SWlCaGJIQm9ZV0psZEdsalBTSXdJaTglMkJQRzFwYzNOcGJtY3RaMng1Y0dnZ2FHOXlhWG90WVdSMkxYZzlJakV3TURBd0lpQmtQU0pOTUNBd0lEUXdNREFnTUNJdlBqeG5iSGx3YUNCMWJtbGpiMlJsUFNKaElpQm5iSGx3YUMxdVlXMWxQU0poSWlCb2IzSnBlaTFoWkhZdGVEMGlORElpTHo0OFoyeDVjR2dnZFc1cFkyOWtaVDBpWWlJZ1oyeDVjR2d0Ym1GdFpUMGlZaUlnYUc5eWFYb3RZV1IyTFhnOUlqSXpJaTglMkJQR2RzZVhCb0lIVnVhV052WkdVOUltTWlJR2RzZVhCb0xXNWhiV1U5SW1NaUlHaHZjbWw2TFdGa2RpMTRQU0kwTnpFeElpOCUyQlBDOW1iMjUwUGp3dlpHVm1jejQ4TDNOMlp6NE5DZyUzRCUzRCNtaW5pIi8%2BPC9mb250LWZhY2Utc3JjPjwvZm9udC1mYWNlPjxwYXRoIGlkPSJwYXRoIiBkPSJNMCAwbDAgNDJsMTYgMTZsNDcxMSAwIi8%2BPC9kZWZzPjwvc3ZnPg0K from frame with URL http://www.hixie.ch/tests/evil/acid/003/NOT_READY_PLEASE_DO_NOT_USE.html. Domains, protocols and ports must match.
Comment 1 Sam Weinig 2008-01-22 09:24:48 PST
I don't think this is usage of data: URLs is appropriate for the Acid3 test as there is no specification that I know of (in the time frame allowed for Acid3 or after) that defines the behavior of access to data: URLs from JS.  Following a strict understanding of the same-origin policy, the behavior should not be allowed as the protocols (or scheme if that is how you roll) differ.

Hixie, if you agree, the issue can be mitigated by using a file on the same domain.
Comment 2 Jesse Ruderman 2008-01-23 21:33:33 PST
Duplicate of bug 11885?
Comment 3 Jesse Ruderman 2008-01-23 21:37:00 PST
You guys might be interested in https://bugzilla.mozilla.org/show_bug.cgi?id=255107, a Mozilla bug report titled "Prevent data: URLs from being used for XSS".
Comment 4 Eric Seidel (no email) 2008-01-29 00:17:35 PST
Acid3 has changed the test.  So I think we can close this and leave bug 11885 to handle any desired changes to data: url handling.