A month or so ago when I was at a workshop at Stanford, someone reported to me that Chrome/Chromium (unlike all other web browsers) will actually log both the parent and child URLs when we have a cross-origin violation, e.g.: Unsafe JavaScript attempt to access frame with URL http://127.0.0.1/~dpranke/tests/origin_console/iframe.html from frame with URL http://localhost/tests/origin_console/test.html. Domains, protocols and ports must match. He was wondering if this might cause some sort of information leakage or be useful in some sort of an attack. I couldn't think of anything, but I thought I would file it here just so someone else can weigh in on it. Possibly we should change our behavior to not log the URLs at all and match the other browsers?
Created attachment 105273 [details] calling frame's html for the test case.
Created attachment 105274 [details] called iframe's html
It would be a problem if the web site can intercept the message.
As far as I know, there is no way to intercept the message and no way to extract the text from the Console, so this seems harmless and in fact useful. Closing this as WONTFIX for now; someone can reopen if there is disagreement.
Hey Dirk, I spoke to you about this bug at Stanford. I did try to attack this myself and couldnt get a way to get the error message from the console in javascript. I guess I'll have to find an attack to warrant fixing this bug?
I definitely don't consider this behavior a bug. A web site being able to to read the console output back would be a security issue (which we would fix if identified); however, the error logging is by design, and very helpful in tracking down origin issues.