RESOLVED WONTFIX 66996
chromium: we log the parent and child origins to the javascript console when there is a cross-origin violation 
https://bugs.webkit.org/show_bug.cgi?id=66996
Summary chromium: we log the parent and child origins to the javascript console when ...
Dirk Pranke
Reported 2011-08-25 16:21:43 PDT
A month or so ago when I was at a workshop at Stanford, someone reported to me that Chrome/Chromium (unlike all other web browsers) will actually log both the parent and child URLs when we have a cross-origin violation, e.g.: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1/~dpranke/tests/origin_console/iframe.html from frame with URL http://localhost/tests/origin_console/test.html. Domains, protocols and ports must match. He was wondering if this might cause some sort of information leakage or be useful in some sort of an attack. I couldn't think of anything, but I thought I would file it here just so someone else can weigh in on it. Possibly we should change our behavior to not log the URLs at all and match the other browsers?
Attachments
calling frame's html for the test case. (334 bytes, text/html)
2011-08-25 16:23 PDT, Dirk Pranke 		no flags
Details
called iframe's html (59 bytes, text/html)
2011-08-25 16:23 PDT, Dirk Pranke 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Dirk Pranke
Comment 1 2011-08-25 16:23:09 PDT
Created attachment 105273 [details] calling frame's html for the test case.
Dirk Pranke
Comment 2 2011-08-25 16:23:26 PDT
Created attachment 105274 [details] called iframe's html
Adam Barth
Comment 3 2011-08-25 17:02:19 PDT
It would be a problem if the web site can intercept the message.
Dirk Pranke
Comment 4 2011-08-25 17:10:22 PDT
As far as I know, there is no way to intercept the message and no way to extract the text from the Console, so this seems harmless and in fact useful. Closing this as WONTFIX for now; someone can reopen if there is disagreement.
Subodh Iyengar
Comment 5 2011-08-25 22:55:23 PDT
Hey Dirk, I spoke to you about this bug at Stanford. I did try to attack this myself and couldnt get a way to get the error message from the console in javascript. I guess I'll have to find an attack to warrant fixing this bug?
Justin Schuh
Comment 6 2011-08-25 23:35:19 PDT
I definitely don't consider this behavior a bug. A web site being able to to read the console output back would be a security issue (which we would fix if identified); however, the error logging is by design, and very helpful in tracking down origin issues.
Note You need to log in before you can comment on or make changes to this bug.