[Webkit-unassigned] [Bug 51674] New: LocalContentCanAccessRemoteUrls creates cross frame scripting vulnerability
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 28 05:17:33 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51674
Summary: LocalContentCanAccessRemoteUrls creates cross frame
scripting vulnerability
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: All
Status: UNCONFIRMED
Severity: Major
Priority: P2
Component: WebKit Qt
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: pushparajan.vijayakumar at nokia.com
CC: prashanth.narayanaswamy at nokia.com
Created an attachment (id=77550)
--> (https://bugs.webkit.org/attachment.cgi?id=77550&action=review)
test case for cross frame access
In QtTestBrowser, enable the below setting,
QWebSettings::globalSettings()->setAttribute(QWebSettings::LocalContentCanAccessRemoteUrls, true);
Without enabling this attribute, qttestbrowser never allows any cross domain features (i.e, XHR from local scheme)
But after enabling this settings, qttestbrowser also allows cross domain javascript access across iframe. i.e, Parent can call the child iframe's Javascript. But the reverse (child calling the parent JS API) is not allowed somehow.
As per the documentation, LocalContentCanAccessRemoteUrls should only enable XHR for remote URL.
I read a comment in BindingSecurityBase.cpp like,
// Same origin policy prevents JS code from domain A from accessing JS & DOM
// objects in a different domain B. There are exceptions and several objects
// are accessible by cross-domain code. For example, the window.frames object
// is accessible by code from a different domain, but window.document is not.
But still doubtful whether such an access should be allowed (even when LocalContentCanAccessRemoteUrls is enabled) as iframe URL is never a trusted URL.
Attached a test case which modifies content in an iframe. iframe is loaded from a different URL.
In normal qttestbrowser, this is not reproducable. Please enable LocalContentCanAccessRemoteUrls to verify this bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list