[webkit-reviews] review requested: [Bug 15313] Same-origin check
wrong when document.domain set : [Attachment 16466] Matches
FF2 and IE6 with tests
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Sep 29 23:34:00 PDT 2007
Adam Barth <hk9565 at gmail.com> has asked for review:
Bug 15313: Same-origin check wrong when document.domain set
http://bugs.webkit.org/show_bug.cgi?id=15313
Attachment 16466: Matches FF2 and IE6 with tests
http://bugs.webkit.org/attachment.cgi?id=16466&action=edit
------- Additional Comments from Adam Barth <hk9565 at gmail.com>
Thanks go to Collin Jackson for running these test. Here are how some other
browsers behave:
Firefox 2:
Protocol mismatch, document.domain set: Denied.
Port mismatch, document.domain set: Allowed.
Only one page has set document.domain: Denied.
Internet Explorer 6:
Protocol mismatch, document.domain set: Denied.
Port mismatch, document.domain set: Allowed.
Only one page has set document.domain: Denied.
Internet Explorer 7:
Protocol mismatch, document.domain set: Denied.
Port mismatch, document.domain set: Denied.
Only one page has set document.domain: Denied.
Opera 9:
Protocol mismatch, document.domain set: Denied.
Port mismatch, document.domain set: Denied.
Only one page has set document.domain: Allowed.
I've updated the patch to match the behavior of Firefox 2 and IE6. The
scenarios where only one page has set document.domain are covered by two new
tests:
http/tests/security/cross-frame-access-child-explicit-domain.html
http/tests/security/cross-frame-access-parent-explicit-domain.html
Also, the patch updates the existing document.domain, protocol-mismatch test:
http/tests/security/cross-frame-access-protocol-explicit-domain.html
The port-mismatch case is already covered by a LayoutTest.
I'm not marking the older patch as obsolete because you may decide to
follow IE7s lead and be more secure.
More information about the webkit-reviews
mailing list