- From: <bugzilla@jessica.w3.org>
- Date: Thu, 13 Jun 2013 00:23:01 +0000
- To: public-script-coord@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346 Bug ID: 22346 Summary: Security: When invoking a method, getter, or setter on an object using the property descriptor of another, we need to do a security check Classification: Unclassified Product: WebAppsWG Version: unspecified Hardware: PC OS: All Status: NEW Severity: normal Priority: P2 Component: WebIDL Assignee: cam@mcc.id.au Reporter: ian@hixie.ch QA Contact: public-webapps-bugzilla@w3.org CC: bzbarsky@mit.edu, mike@w3.org, public-script-coord@w3.org, w3c@adambarth.com Consider these tests: http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2317: <iframe src="http://example.com/" id="other"></iframe> <script> onload = function () { var theirDoc = frames.other.document; var ourGet = document.getElementsByTagName; var theirElements = ourGet.call(theirDoc, "*"); alert(theirElements.length); } </script> http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2316: (same but local URL on iframe) The second one should work, but the first one should fail, because you can't access that property ('getElementsByTagName') on that object (the cross-origin Document object). We should probably monkeypatch "call()" to verify that the method, getter, or setter that it is being invoked on is accessible on the object that's being passed as the "this" binding, in addition to it being the right interface. For example, for methods, we would add something around this step: # 2. If O is not null and is also not a platform object that implements # interface I, throw a TypeError. ...to check that property is also accessible for the incumbent script on the object O without an exception being thrown. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 13 June 2013 00:23:03 UTC