[Webkit-unassigned] [Bug 15313] Same-origin check wrong when document.domain set

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 28 19:05:15 PDT 2007


------- Comment #4 from hk9565 at gmail.com  2007-09-28 19:05 PDT -------
Created an attachment (id=16440)
 --> (http://bugs.webkit.org/attachment.cgi?id=16440&action=view)
Test for first issue

Looks like you already have tests for the first issue:


But these test are wrong because they believe the access should be permitted. 
Here is the attack:
1) Suppose there is an HTTPS site (www.example.com) that sets document.domain =
2) A network attacker redirects the browser to http://www.example.com/ and
  a) injects script to set document.domain = "example.com", and
  b) opens a window to https://www.example.com/
3) Now the network attacker can inject script into the HTTPS page, stealing
cookies and issuing banking transactions.

Firefox does not permit this access, see

I've attached fixes for the tests.  (Tests for the second issue coming

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list