New issue
Advanced search Search tips

Issue 103384 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 7988
Owner: ----
Closed: Nov 2011
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

Security: Setting document.domain to "org" or any other TLD

Reported by fon...@gmail.com, Nov 8 2011

Issue description

This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS

https://developer.mozilla.org/en/DOM/document.domain

Clearly states that setting document.domain to "org" or any other TLD should not be valid. I was not able to find any relevant documentation for chrome/webkit

This is possible and leads to cross domain javascript access. This also works in Safari 5.1

VERSION
Chrome Version: 17.0.932.0  dev
Operating System: MAC OSX 10.7

REPRODUCTION CASE

Goto a .com page ie:

www.macrumors.com

Open the developer panel and run

document.domain
"www.macrumors.com" // as intended

window.open('http://www.engadget.com") and allow popups, popups are used in this demo but iframes should work just aswell

In the engadget window run

window.opener.location.href 
Which will produce a security error

now run 
document.domain = 'com'
in both windows

and then 
window.opener.location.href 
"http://www.macrumors.com/"

Which proves javascript access, running the same test in firefox results in a security error when setting the domains.
 

Comment 1 by kenrb@chromium.org, Nov 8 2011

Labels: -Restrict-View-SecurityTeam
Mergedinto: 7988
Status: Duplicate
Funny I was asking this question just the other day.

It's not a security vulnerability, really, because no self-respecting web page should ever set document.domain = "com". It is a vulnerability of the site if that is the case.

That said, other browsers do it as precaution, and we should too. Nobody has picked it up because the webkit plumbing it needs is onerous.
Project Member

Comment 2 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Mergedinto: chromium:7988
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security Type-Bug-Security
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Labels: allpublic

Sign in to add a comment