[Webkit-unassigned] [Bug 73083] Fix the Frame Leak Attack
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 2 11:36:32 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=73083
--- Comment #27 from Adam Barth <abarth at webkit.org> 2012-04-02 11:36:32 PST ---
(In reply to comment #26)
> (In reply to comment #22)
> > (From update of attachment 133116 [details] [details])
> > View in context: https://bugs.webkit.org/attachment.cgi?id=133116&action=review
> >
> > > Source/WebCore/loader/FrameLoader.cpp:2795
> > > + Frame* parent = m_frame->tree()->parent();
> > > + if (parent && !m_frame->document()->securityOrigin()->canAccess(parent->document()->securityOrigin()))
> > > + return;
> >
> > What happens if there is a nested iframe? For example
> > A
> > - B
> > - C
> >
> > where B and C are the same origin? Won't scroll operations on C leak information to A even through B and C are the same origin?
>
> We don't care about scroll operations apart from those resulting from navigation to anchors, and the attack is possible in general because A can initiate a navigation on B. I don't think A can initiate a navigation on C -- that would be the iframe hijacking issue again, no?
A can initiate a navigation on C. In general, a frame can navigate any of it's descendants.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list