W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XHR] security issue with spec's "same-origin" and the Document pointer

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Mon, 24 Nov 2008 12:47:25 +0100
To: "Anne van Kesteren" <annevk@opera.com>, public-webapps@w3.org
Message-ID: <op.uk4gdbp9a3v5gv@hr-opera.oslo.opera.com>

On Sun, 23 Nov 2008 22:32:02 +0100, Anne van Kesteren <annevk@opera.com>  
wrote:

>>>> var xhrConstructor = iframe.contentWindow.XMLHttpRequest;
>>>> iframe.src='http://attackee.example.com/';
>>>> .
>>>> .
>>>> var xhr = new xhrConstructor();
>>>>
>>>> When the constructor is invoked here, the associated document of its  
>>>> associated window object is not safe to do same-origin comparisons  
>>>> against. I've tested this in the main 4 engines, and they all protect  
>>>> against this exploit but as far as I can see someone implementing the  
>>>> spec as it's written would end up vulnerable.

>>> Why would the SECURITY_ERR exception not be thrown during the open()  
>>> method invocation as the specification requires?

>> Because when you call "new xhrConstructor()" the document pointer is  
>> initialized *but at that point the document of the associated window  
>> originates from attackee.example.com*.

> Once you navigate the original Document is either destroyed or stays  
> around. However, it does not suddenly change into the Document of  
> another domain.

The point is that there *is* no document pointer until you call the  
constructur - per the spec. And once that script calls the constructor and  
the document pointer is created, the associated window has a different  
document in it from a different origin. Hence the document pointer will  
reference a document from a different origin than the script itself has,  
and same-origin comparisons will pass when they should fail and vice versa.

If you still don't get it please read carefully because I don't know how  
to explain it clearer than that :-p. Besides, I'm on vacation and will try  
not to read E-mail ;)

-- 
Hallvord R. M. Steen
Core JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience
Received on Monday, 24 November 2008 11:47:59 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT