Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 147625 Security: UXSS/SOP bypass with document.write (Chrome on iOS)
Starred by 1 user Reported by lpil...@gmail.com, Sep 10 2012 Back to list
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment
VULNERABILITY DETAILS
It is possible to get cross-domain JavaScript access using document.write:
http://runic.pl/testy/ipad/uxss.html

VERSION
Chrome Version: Chrome 21.0.1180.80 stable
Operating System: iOS 5.1.1 (iPad 2)

REPRODUCTION CASE
http://runic.pl/testy/ipad/uxss.html

May be also related to http://code.google.com/p/chromium/issues/detail?id=146760

 
Comment 1 by palmer@chromium.org, Sep 10 2012
Cc: astrange@chromium.org palmer@chromium.org whitelaw@chromium.org pinkerton@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals OS-iOS Mstone-22 SecImpacts-Stable
Owner: qsr@chromium.org
Status: Assigned
Assigning to qsr on the assumption that it is related to http://code.google.com/p/chromium/issues/detail?id=146760.

This does work on iPod/iPhone, not just iPad. The alert does fire, so the script does get injected to the other domain, although the pop-up box has "about://null" in its title bar, and the Omnibox shows "about:blank" instead of example.com. But the contents  of IANA's example.com page do indeed show up in the pop-up.
Comment 2 by palmer@chromium.org, Sep 10 2012
Labels: reward-topanel
This is being tracked by b/7143205.
Comment 4 by qsr@chromium.org, Sep 11 2012
 This was not related to http://code.google.com/p/chromium/issues/detail?id=146760.

 This was due to not passing a baseURL when loading an HTML string in a webview, resulting in the internal URL of the webview being applewebdata://XXXX which seems to be able to do anything it wants, X-Origin.

 Fixed.
Comment 5 by qsr@chromium.org, Sep 11 2012
Status: Fixed
Comment 6 by palmer@chromium.org, Sep 24 2012
Labels: SecSeverity-High
Comment 7 by lpil...@gmail.com, Sep 25 2012
I confirm it's fixed in 21.0.1180.82, thanks.
Comment 8 by palmer@chromium.org, Sep 25 2012
Cc: kerz@chromium.org
Labels: -Mstone-22 Mstone-21
pinkerton (or anybody), I take it this one also made it into M21 after all?

Again, sorry kerz. How shall we announce these fixes in release notes? Issue a correction in the M23 release notes?
From qsr: "Pushed to B21 as cc06e1047cad8baa74320533a2322818a79d8f6f"


Comment 10 by palmer@google.com, Sep 26 2012
lpilorz, how would you like us to credit you in the Chrome release notes? As Lukasz Pilorz, or in some other way?
Comment 11 by palmer@google.com, Sep 26 2012
(Rather, I assume, Łukasz Pilorz. Took me a while to find the right Compose key combination on Linux. :))
Comment 12 by lpil...@gmail.com, Sep 26 2012
"Łukasz Pilorz" would be great, thanks :)
Labels: CVE-2012-2899
Labels: -reward-topanel reward-500 reward-unpaid
Labels: -reward-unpaid
Payment ready for wire as part of $1000 batch
Project Member Comment 16 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -Mstone-21 -SecImpacts-Stable -SecSeverity-High Security-Impact-Stable M-21 Cr-Internals Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityTeam
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2 2016
Labels: Restrict-View-SecurityNotify
Labels: allpublic
Project Member Comment 24 by sheriffbot@chromium.org, Oct 3 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment