[Webkit-unassigned] [Bug 16073] xss possible because of a bug in Document::setDomain

Wed Nov 21 16:03:13 PST 2007

http://bugs.webkit.org/show_bug.cgi?id=16073

------- Comment #7 from ian.eng.webkit at gmail.com  2007-11-21 16:03 PDT -------
The patch is over-restricted. It should allow set to the same domain. So it
needs a fix before getting the length of domain names.

    // Both NS and IE specify that changing the domain is only allowed when
    // the new domain is a suffix of the old domain.

    // FIXME: We should add logging indicating why a domain was not allowed.

    // NOTE: If the new domain is the same as the old domain, still call
    // m_securityOrigin.setDomainForDOM. This will change the
    // security check behavior. For example, if a page with https:// scheme
    // assigns its current domain to document.domain, the page will
    // allow other http:// (and ports) pages in the same domain to
    // access this page. Firefox and Safari behaves like this.
    // Is this a good design?
    if (m_domain == newDomain) {
        m_securityOrigin.setDomainFromDOM(newDomain);
        return;
    }

    int oldLength = m_domain.length();
    int newLength = newDomain.length();

    // e.g. newDomain=kde.org (7) and m_domain=www.kde.org (11)

Layout test, http/tests/security/cross-frame-access-port-explicit-domain.html
failed due to this.
I verified that Firefox and Safari both allow change document.document to the
current domain, and treat it as set by DOM after that, so cross frame access is
possible when protocol and port are different.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.