[Webkit-unassigned] [Bug 73083] Fix the Frame Leak Attack
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 10 09:10:35 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=73083
--- Comment #49 from Paul Stone <bugzilla at pdjs.co.uk> 2012-04-10 09:10:34 PST ---
Created an attachment (id=136465)
--> (https://bugs.webkit.org/attachment.cgi?id=136465&action=review)
Broken testcase (works in Firefox)
I just tested this in the Chrome Canary builds, and it seems that the fix is a bit too agressive. When navigating to a fragment in a cross-origin frame, it prevents the frame itself from scrolling. The frame itself should scroll (there's no leak there, Firefox still allows this), but it should prevent any any ancestor frames from scrolling if they're cross-origin.
I've attached a simple testcase that works in Firefox, but is broken in the Canary build. I think this could break some websites - for example API documentation that uses frames, where the table-of-contents pane is on a different (sub)domain than the main frame.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list