[Webkit-unassigned] [Bug 8036] New: Overzealous Iframe security

Tue Mar 28 11:42:59 PST 2006

http://bugzilla.opendarwin.org/show_bug.cgi?id=8036

           Summary: Overzealous Iframe security
           Product: WebKit
           Version: 420+ (nightly)
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: jhaygood at spsu.edu

Firefox, Internet Explorer, and Opera let the following check pass, even if
you're on a different frame:
parent == iframes[i].contentWindow

They don't let you access it, but you can tell if they are in fact the same. If
you have a Publisher Side File on the domain the original iframe is hosted in,
you can 'break out' of the containing frame using this method:

* Webpage writes out iframe on different domain (normally an ad server)
* iframe writes out iframe pointing to a publisher side file on the original
server
* new iframe finds the original iframe using the above comparison (reliable,
but doesn't work on Safari), using source comparison (not reliable, since
iframes can redirect), or size comparison (not reliable, since sites get
placement sizes wrong)

This breaks compatibility with most portal sites.

-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.