Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: WontFix
Owner:
Closed: May 29
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment
Deletion of cross-domain-referenceable properties may leak information
Reported by pvtolk...@gmail.com, Jan 25 2016 Back to list
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Steps to reproduce the problem:
1. Window in domain A deletes window.blur
2. Iframe or opened window in domain B, tries to access parent.blur or opener.blur
3. Page B catches an exception for SOP violation (while w/o deletion does not)

I've done a very quick demo (a little bogus, try refreshing after every transmission) that sends information to another domain using this mechanism: http://vwzq.net/lab/covert/deletion.html

What is the expected behavior?
Domain B shouldn't be able to detect any direct change in the properties of another domain. Should it?

What went wrong?
Domain B has the ability to detect if another domain has deleted some properties (blur, focus, close, parent, opener, length, frames, closed).

Did this work before? No 

Chrome version: 47.0.2526.80  Channel: stable
OS Version: 3.16.0-4-amd64
Flash Version: 

I don't think that this was a vulnerability, but since other browser were acting "better" I decided to report.
 
Comment 1 by dcheng@chromium.org, Jan 25 2016
Cc: yukishiino@chromium.org haraken@chromium.org
Labels: Cr-Blink-Bindings
Owner: yukishiino@chromium.org
Labels: -Restrict-View-SecurityTeam
I agree that isn't quite enough to warrant being a vulnerability.

The demo is actually kind of cute, but an exploit requires, say, stealing significant data from a non-cooperating parent. :-)
Labels: -Type-Bug-Security Type-Bug
Status: Assigned
Confirmed a reproduction.

Status: WontFix
We implemented a new cross-origin property access and the issue is no longer happening.

Sign in to add a comment