[Webkit-unassigned] [Bug 16824] Script authorization should follow lexical (not dynamic) scope
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 10 15:05:32 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16824
------- Comment #3 from webkit at collinjackson.com 2008-01-10 15:05 PDT -------
Created an attachment (id=18379)
--> (http://bugs.webkit.org/attachment.cgi?id=18379&action=view)
Example of dangers of dynamic scope (needs to be run from a file URL)
Dynamic scope makes it extremely difficult to write correct code when code from
different origins interacts (for example, when a file:// page access an http://
page in bug 16011).
Here is a test case that is designed to be run from a file:// URL. It creates
an iframe to an http://crypto.stanford.edu/ page and implicitly calls the
toString() method of that frame:
"My child is " + frames[0]
Because dynamic scope is used, the crypto.stanford.edu page can hijack the
privileges of its parent file:// page and steal your cookies from any site. If
lexical scope were employed, the attacker could still overwrite the toString()
method but wouldn't gain any additional privileges.
This is hard for web attackers to exploit because Safari prevents web sites
from directing the browsers from file:// URLs. As shown by the LayoutTest
included in the patch, however, http sites can also run into this problem using
document.domain.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list