[Webkit-unassigned] [Bug 16775] New: base tag overwrites document.documentURI

[bugzilla-daemon at webkit.org]

http://bugs.webkit.org/show_bug.cgi?id=16775

           Summary: base tag overwrites document.documentURI
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: All
               URL: http://crypto.stanford.edu/~abarth/research/webkit/base/
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hk9565 at gmail.com
                CC: sam at webkit.org, webkit at collinjackson.com


If an HTML document contains a <base> tag, the value of its href attribute
overwrites the value of document.documentURI.  This is inconsistent with the
other two browsers that implement documentURI, Firefox and Opera.  Also,
JavaScript should not be able to overwrite the value of document.documentURI.

This bug has some security consequences.  For example, an attacker can set the
uri parameter of postMessage to an arbitrary URI, defeating any security checks
using uri.  The uri parameter is important for distinguishing between HTTP and
HTTPS as well as determining whether the sender's host is different from its
document.domain value.

(Not filing as security sensitive because postMessage appears to be the only
WebCore consumer of this API and hasn't shipped yet.)


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.