[Webkit-unassigned] [Bug 20988] New: Cross-frame scripting error from Web Inspector code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 22 02:35:49 PDT 2008 

https://bugs.webkit.org/show_bug.cgi?id=20988

           Summary: Cross-frame scripting error from Web Inspector code
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ap at webkit.org


If a subframe navigates to a new security origin, Web Inspector hits XSS
security checks. To reproduce, put the attached test case into
LayoutTests/http/tests, start Apache with run-webkit-httpd, and open the test
as http://127.0.0.1:8000/main.html.

If the Inspector is open while running the test, I'm getting 5 error messages.
If it is opened after the test finishes, I'm getting two (but they are
generated when opening Inspector, not earlier).

Tested with r36712 nightly and with a local debug build.

#0      0x0392f160 in WebCore::JSDOMWindowBase::crossDomainAccessErrorMessage
at JSDOMWindowBase.cpp:793
#1      0x03562bb6 in WebCore::JSDOMWindowBase::allowsAccessFrom at
JSDOMWindowCustom.h:145
#2      0x038bf5db in WebCore::allowsAccessFromFrame at JSDOMBinding.cpp:331
#3      0x038bf626 in WebCore::checkNodeSecurity at JSDOMBinding.cpp:323
#4      0x03559c0b in WebCore::JSDOMWindow::getValueProperty at
JSDOMWindow.cpp:532
#5      0x03562c20 in JSC::staticValueGetter<WebCore::JSDOMWindow> at
lookup.h:116
#6      0x032ab76d in JSC::PropertySlot::getValue at PropertySlot.h:63
#7      0x0399effe in WebCore::JSQuarantinedObjectWrapper::getOwnPropertySlot
at JSQuarantinedObjectWrapper.cpp:114
#8      0x008ea63f in JSC::JSValue::get at JSObject.h:432
#9      0x008d5224 in JSC::Machine::cti_op_get_by_id_generic at
Machine.cpp:4270
#10     0x1d99828a in ??
#11     0x008d872e in JSC::Machine::execute at Machine.cpp:963
#12     0x0082fe67 in JSC::JSFunction::call at JSFunction.cpp:70
#13     0x0082ff03 in JSC::call at CallData.cpp:39
#14     0x008d179c in JSObjectCallAsFunction at JSObjectRef.cpp:305
#15     0x03521327 in WebCore::InspectorController::callFunction at
InspectorController.cpp:147
#16     0x035234f7 in
WebCore::InspectorController::inspectedWindowScriptObjectCleared at
InspectorController.cpp:1272
#17     0x0343a410 in WebCore::FrameLoader::dispatchWindowObjectAvailable at
FrameLoader.cpp:4850
...


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list