[Webkit-unassigned] [Bug 16848] New: SecurityOrigin::copy does not copy m_domainWasSetInDOM
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jan 11 18:19:54 PST 2008
http://bugs.webkit.org/show_bug.cgi?id=16848
Summary: SecurityOrigin::copy does not copy m_domainWasSetInDOM
Product: WebKit
Version: 525+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.4
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: hk9565 at gmail.com
CC: mjs at apple.com, sam at webkit.org, webkit at collinjackson.com
The new SecurityOrigin::copy method does not copy m_domainWasSetInDOM when
making a copy of the security origin. This does not appear to be exploitable
currently, but could lead to two classes of bugs:
1) A document sets its document.domain and then tries to access an object that
uses a copy() of its SecurityOrigin. It can not access the document because
that document's origin has forgotten that it had set its domain property.
2) A malicious document from foo.example.com could set its document.domain
property to example.com, then transfer control to an object that uses a copy()
of its security origin. Once there, it could script example.com.
The copy() method also does not copy m_noAccess, which could lead to similar
attacks using data: URLs.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list