[Webkit-unassigned] [Bug 26989] New: Unsafe cross domain javascript redirect

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 6 07:37:55 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26989

           Summary: Unsafe cross domain javascript redirect
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://msdesign.dk/oes/filer/_test.htm
        OS/Version: Windows XP
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: steen at swine.dk


Feature or bug, I don't know. people on the IRC channel (#webkit) said I should
report it as a bug and get my answer that way.

On domain http://example1.com we visit the page "page1.html", here we open a
popup with the page http://example2.com/popup1.
Inside "popup1" is a javascript, window.opener.location.href =
"http://example1.com/page2.html" that runs onload.

In Firefox 3.5 and Internet Explorer 8 this will result in the opener
(http://example1.com/page1.html) will be set to
"http://example1.com/page2.html".

On Safari 4 and Chrome 2 this returns a common error: "Unsafe JavaScript
attempt to initiate a navigation change for frame with URL %s1 from frame with
URL %s2."
Safari 4 furthermore returns the error: "Unsafe JavaScript attempt to access
frame with URL %s1 from frame with URL %s2. Domains, protocols and ports must
match."

%s1 = http://example1.com/page1.html
%s2 = http://example2.com/popup1

I know that there have been a great amount of security enhancements lately, but
is this supposed to be one of them?

If it is supposed to, how is it possible to get around this restriction?
Many payment companies use this method for webshops, at least in Denmark. You
open a popup window with creditcard payment options (mastercard, visa and so
forth) and when you have gone through the payment, the popup would close and
redirect the user to a order confirmation on the webshop - this is a vital
element.
If the user is not redirected back to the webshop, the webshop system won't
know that the order have gone through and the user will not be presented to a
order confirmation, but the payment will have gone through. This results in a
lot of users paying for things they don't get.

I have tried to find a document describing if there's a workaround - where you
could allow a certain website to make this redirect, but it have not been
possible for me to find this.
I've read that there is an "Access-Control-Allow-Origin" response header for
cross domain requests, but after trying it out, it doesn't seem to have an
effect.

I have a very simple test-case here: http://msdesign.dk/oes/filer/_test.htm
It will open a popup at the page
http://www.swine.dk/spil/_test2.html?things=tadaa
The popup tries to redirect the window.opener to
http://msdesign.dk/oes/filer/_test2.htm

In firefox 3.5 and Internet Explorer 8 it works, but not in Safari 4 or Chrome
2.

I hope there is a solution to this.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list