[Webkit-unassigned] [Bug 7135] New: window.history object

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Tue Feb 7 09:59:23 PST 2006


           Summary: window.history object
           Product: WebKit
           Version: 417.x
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: trivial
          Priority: P2
         Component: JavaScript
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: gazhay at gmail.com

This used to trouble me with IE and Mozilla.
The window.history object is protected from reading for obvious reasons,
however, try this :-

1. On a page call any of the following (or all)
window.history[58769]="This is a history hijack attempt";
window.history[window.history.length]="this is another hijack";
window.history[0]="This is history 1";

2. On another page attempt to read window.history[58769], [0], or [length-1]

The result - data transfered across pages. (This also used to be considered a
security problem, so much so that MS went to great lengths to stop you doing
such things without cookies)

A trivial 'problem' - but one that a malicious page writer could exploit to
gain information. (I won't elaborate on the details)

Just interested in your thoughts on whether or not this is a bug.

Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list