[Webkit-unassigned] [Bug 16848] New: SecurityOrigin::copy does not copy m_domainWasSetInDOM

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 11 18:19:54 PST 2008


           Summary: SecurityOrigin::copy does not copy m_domainWasSetInDOM
           Product: WebKit
           Version: 525+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hk9565 at gmail.com
                CC: mjs at apple.com, sam at webkit.org, webkit at collinjackson.com

The new SecurityOrigin::copy method does not copy m_domainWasSetInDOM when
making a copy of the security origin.  This does not appear to be exploitable
currently, but could lead to two classes of bugs:

1) A document sets its document.domain and then tries to access an object that
uses a copy() of its SecurityOrigin.  It can not access the document because
that document's origin has forgotten that it had set its domain property.

2) A malicious document from foo.example.com could set its document.domain
property to example.com, then transfer control to an object that uses a copy()
of its security origin.  Once there, it could script example.com.

The copy() method also does not copy m_noAccess, which could lead to similar
attacks using data: URLs.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list