[Webkit-unassigned] [Bug 16523] Calling window.open("", "foo") allows arbitrary scripting by any domain
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 20 23:49:32 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=16523
------- Comment #8 from hk9565 at gmail.com 2007-12-20 23:49 PDT -------
Created an attachment (id=18025)
--> (http://bugs.webkit.org/attachment.cgi?id=18025&action=view)
Initialize security origin once
Attached is one approach for fixing this issue. The idea is to allow Documents
to transition from the null principal (empty origin) to a real principal, but
not to allow them to transition from one principal to another (which is the
vulnerability).
Another approach I tried was to add an m_opener member to FrameLoadRequest and
to initialize m_opener before creating the document, but I didn't understand
the frame loading plumbing well enough to get this to work (especially when it
calls out ChromeClient).
If you think this patch takes the right approach, we can write a regression
test, etc.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list