[Webkit-unassigned] [Bug 15313] Same-origin check wrong when document.domain set
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 28 19:05:15 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=15313
------- Comment #4 from hk9565 at gmail.com 2007-09-28 19:05 PDT -------
Created an attachment (id=16440)
--> (http://bugs.webkit.org/attachment.cgi?id=16440&action=view)
Test for first issue
Looks like you already have tests for the first issue:
LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain.html
LayoutTests/http/tests/security/cross-frame-access-port-explicit-domain.html
But these test are wrong because they believe the access should be permitted.
Here is the attack:
1) Suppose there is an HTTPS site (www.example.com) that sets document.domain =
"example.com".
2) A network attacker redirects the browser to http://www.example.com/ and
a) injects script to set document.domain = "example.com", and
b) opens a window to https://www.example.com/
3) Now the network attacker can inject script into the HTTPS page, stealing
cookies and issuing banking transactions.
Firefox does not permit this access, see
nsScriptSecurityManager::CheckSameOriginPrincipalInternal.
I've attached fixes for the tests. (Tests for the second issue coming
shortly.)
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list