[Webkit-unassigned] [Bug 66996] New: chromium: we log the parent and child origins to the javascript console when there is a cross-origin violation

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=66996

           Summary: chromium: we log the parent and child origins to the
                    javascript console when there is a cross-origin
                    violation
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dpranke at chromium.org


A month or so ago when I was at a workshop at Stanford, someone reported to me that Chrome/Chromium (unlike all other web browsers) will actually log both the parent and child URLs when we have a cross-origin violation, e.g.:

Unsafe JavaScript attempt to access frame with URL http://127.0.0.1/~dpranke/tests/origin_console/iframe.html from frame with URL http://localhost/tests/origin_console/test.html. Domains, protocols and ports must match.

He was wondering if this might cause some sort of information leakage or be useful in some sort of an attack. I couldn't think of anything, but I thought I would file it here just so someone else can weigh in on it. Possibly we should change our behavior to not log the URLs at all and match the other browsers?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.