[Webkit-unassigned] [Bug 15936] Overly permissive frame navigation allows password theft

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 3 05:06:24 PST 2008 

http://bugs.webkit.org/show_bug.cgi?id=15936


yuzhu.shen at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |yuzhu.shen at gmail.com




------- Comment #14 from yuzhu.shen at gmail.com  2008-01-03 05:06 PDT -------
According to the policy implemented in current WebKit, I've created a scenario
in which various browsers act differently.

Assume that the following files are located at http://aaa.bbb.com/
Note: If you want to try out this example, change the value of document.domain
accordingly in these files! It should be a suffix of the real domain in which
these files reside.
====================================
<!-- navigation.htm -->
<html>
<head>
    <title></title>
    <script language="javascript">document.domain='bbb.com';</script>
</head>
<frameset name="main" cols="503,*">
        <frame name="left" src="left.htm" />
        <frame name="right" src="right.htm" />
</frameset>
</html>
================================
<!-- left.htm -->
<html>
<head>
    <title></title>
    <base target='right'>
</head>
<body>
    <a href='helloWorld.htm'>HelloWorld</a>
</body>
</html>
=================================
<!-- right.htm -->
<html>
<head>
    <title></title>
</head>
<body>
    <script language="javascript">document.domain='bbb.com';</script>
</body>
</html>
=================================
<!-- helloWorld.htm -->
<html>
<body>
    <h1>Hello World!</h1>
</body>
</html>
=================================

If you click the "HelloWorld" link:
IE7: will open the link in a new tab instead of the target frame.
IE6, Firefox2/3, Safari 3.0.3: will open the link in the target frame.
Current WebKit: will do nothing.

This problem affects a popular forum in China: http://dzh.mop.com
In this forum, if you click a link in the left panel, current WebKit will not
open the link. (Due to some other reasons, IE7 works fine with this site.)


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list