[Webkit-unassigned] [Bug 32119] New: Object.getOwnPropertyDescriptor() allows cross-frame access
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 3 08:20:34 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=32119
Summary: Object.getOwnPropertyDescriptor() allows cross-frame
access
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore JavaScript
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: kent.hansen at nokia.com
Blocks: 31933
Whereas Object.prototype.propertyIsEnumerable() blocks cross-frame access (see
LayoutTests/http/tests/security/cross-frame-access-object-prototype.html),
Object.getOwnPropertyDescriptor() does not. E.g., whereas
Object.prototype.propertyIsEnumerable.call(targetFrame, 'myProp')
returns false (because access to 'myProp' is blocked, even if it exists on
targetFrame),
Object.getOwnPropertyDescriptor(targetFrame, 'myProp').enumerable
returns true, and in fact the descriptor gives you a lot more information about
the property, not just whether it is enumerable.
This seems to be because the JSDOMWindow::getOwnPropertyDescriptor()
implementation is not as strict as it should be.
The call to propertyIsEnumerable() ends up calling
JSDOMWindow::getPropertyAttributes(), which immediately returns false if access
is not allowed; but getOwnPropertyDescriptor() falls through all the access
checks and ends up calling the base implementation, which gives the full
targetFrame.myProp descriptor.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list