- From: <bugzilla@jessica.w3.org>
- Date: Thu, 13 Jun 2013 00:23:01 +0000
- To: public-webapps-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22346
Bug ID: 22346
Summary: Security: When invoking a method, getter, or setter on
an object using the property descriptor of another, we
need to do a security check
Classification: Unclassified
Product: WebAppsWG
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: WebIDL
Assignee: cam@mcc.id.au
Reporter: ian@hixie.ch
QA Contact: public-webapps-bugzilla@w3.org
CC: bzbarsky@mit.edu, mike@w3.org,
public-script-coord@w3.org, w3c@adambarth.com
Consider these tests:
http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2317:
<iframe src="http://example.com/" id="other"></iframe>
<script>
onload = function () {
var theirDoc = frames.other.document;
var ourGet = document.getElementsByTagName;
var theirElements = ourGet.call(theirDoc, "*");
alert(theirElements.length);
}
</script>
http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2316:
(same but local URL on iframe)
The second one should work, but the first one should fail, because you can't
access that property ('getElementsByTagName') on that object (the cross-origin
Document object).
We should probably monkeypatch "call()" to verify that the method, getter, or
setter that it is being invoked on is accessible on the object that's being
passed as the "this" binding, in addition to it being the right interface.
For example, for methods, we would add something around this step:
# 2. If O is not null and is also not a platform object that implements
# interface I, throw a TypeError.
...to check that property is also accessible for the incumbent script on the
object O without an exception being thrown.
--
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Thursday, 13 June 2013 00:23:02 UTC