[Bug 22346] New: Security: When invoking a method, getter, or setter on an object using the property descriptor of another, we need to do a security check

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346

            Bug ID: 22346
           Summary: Security: When invoking a method, getter, or setter on
                    an object using the property descriptor of another, we
                    need to do a security check
    Classification: Unclassified
           Product: WebAppsWG
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: WebIDL
          Assignee: cam@mcc.id.au
          Reporter: ian@hixie.ch
        QA Contact: public-webapps-bugzilla@w3.org
                CC: bzbarsky@mit.edu, mike@w3.org,
                    public-script-coord@w3.org, w3c@adambarth.com

Consider these tests:

http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2317:
  <iframe src="http://example.com/" id="other"></iframe>
  <script>
   onload = function () {
     var theirDoc = frames.other.document;
     var ourGet = document.getElementsByTagName;
     var theirElements = ourGet.call(theirDoc, "*");
     alert(theirElements.length);
   }
  </script>

http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2316:
  (same but local URL on iframe)

The second one should work, but the first one should fail, because you can't
access that property ('getElementsByTagName') on that object (the cross-origin
Document object).

We should probably monkeypatch "call()" to verify that the method, getter, or
setter that it is being invoked on is accessible on the object that's being
passed as the "this" binding, in addition to it being the right interface.

For example, for methods, we would add something around this step:

#  2. If O is not null and is also not a platform object that implements 
#     interface I, throw a TypeError.

...to check that property is also accessible for the incumbent script on the
object O without an exception being thrown.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 13 June 2013 00:23:03 UTC