[Webkit-unassigned] [Bug 32119] New: Object.getOwnPropertyDescriptor() allows cross-frame access

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 3 08:20:34 PST 2009


           Summary: Object.getOwnPropertyDescriptor() allows cross-frame
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: kent.hansen at nokia.com
            Blocks: 31933

Whereas Object.prototype.propertyIsEnumerable() blocks cross-frame access (see
Object.getOwnPropertyDescriptor() does not. E.g., whereas

Object.prototype.propertyIsEnumerable.call(targetFrame, 'myProp')

returns false (because access to 'myProp' is blocked, even if it exists on

Object.getOwnPropertyDescriptor(targetFrame, 'myProp').enumerable

returns true, and in fact the descriptor gives you a lot more information about
the property, not just whether it is enumerable.
This seems to be because the JSDOMWindow::getOwnPropertyDescriptor()
implementation is not as strict as it should be.
The call to propertyIsEnumerable() ends up calling
JSDOMWindow::getPropertyAttributes(), which immediately returns false if access
is not allowed; but getOwnPropertyDescriptor() falls through all the access
checks and ends up calling the base implementation, which gives the full
targetFrame.myProp descriptor.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list