[Webkit-unassigned] [Bug 16775] New: base tag overwrites document.documentURI
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 7 12:26:12 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16775
Summary: base tag overwrites document.documentURI
Product: WebKit
Version: 525+ (Nightly build)
Platform: All
URL: http://crypto.stanford.edu/~abarth/research/webkit/base/
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hk9565 at gmail.com
CC: sam at webkit.org, webkit at collinjackson.com
If an HTML document contains a <base> tag, the value of its href attribute
overwrites the value of document.documentURI. This is inconsistent with the
other two browsers that implement documentURI, Firefox and Opera. Also,
JavaScript should not be able to overwrite the value of document.documentURI.
This bug has some security consequences. For example, an attacker can set the
uri parameter of postMessage to an arbitrary URI, defeating any security checks
using uri. The uri parameter is important for distinguishing between HTTP and
HTTPS as well as determining whether the sender's host is different from its
document.domain value.
(Not filing as security sensitive because postMessage appears to be the only
WebCore consumer of this API and hasn't shipped yet.)
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list