[Webkit-unassigned] [Bug 51674] New: LocalContentCanAccessRemoteUrls creates cross frame scripting vulnerability

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 28 05:17:33 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=51674

           Summary: LocalContentCanAccessRemoteUrls creates cross frame
                    scripting vulnerability
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: pushparajan.vijayakumar at nokia.com
                CC: prashanth.narayanaswamy at nokia.com


Created an attachment (id=77550)
 --> (https://bugs.webkit.org/attachment.cgi?id=77550&action=review)
test case for cross frame access

In QtTestBrowser, enable the below setting,

QWebSettings::globalSettings()->setAttribute(QWebSettings::LocalContentCanAccessRemoteUrls, true);

Without enabling this attribute, qttestbrowser never allows any cross domain features (i.e, XHR from local scheme)

But after enabling this settings, qttestbrowser also allows cross domain javascript access across iframe. i.e, Parent can call the child iframe's Javascript. But the reverse (child calling the parent JS API) is not allowed somehow. 


As per the documentation, LocalContentCanAccessRemoteUrls should only enable XHR for remote URL. 

I read a comment in BindingSecurityBase.cpp like,
// Same origin policy prevents JS code from domain A from accessing JS & DOM
// objects in a different domain B. There are exceptions and several objects
// are accessible by cross-domain code. For example, the window.frames object
// is accessible by code from a different domain, but window.document is not.

But still doubtful whether such an access should be allowed (even when LocalContentCanAccessRemoteUrls is enabled) as iframe URL is never a trusted URL. 

Attached a test case which modifies content in an iframe. iframe is loaded from a different URL.

In normal qttestbrowser, this is not reproducable. Please enable LocalContentCanAccessRemoteUrls to verify this bug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list