New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: WontFix
Closed: May 2017
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Sign in to add a comment

Deletion of cross-domain-referenceable properties may leak information

Reported by, Jan 25 2016

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36

Steps to reproduce the problem:
1. Window in domain A deletes window.blur
2. Iframe or opened window in domain B, tries to access parent.blur or opener.blur
3. Page B catches an exception for SOP violation (while w/o deletion does not)

I've done a very quick demo (a little bogus, try refreshing after every transmission) that sends information to another domain using this mechanism:

What is the expected behavior?
Domain B shouldn't be able to detect any direct change in the properties of another domain. Should it?

What went wrong?
Domain B has the ability to detect if another domain has deleted some properties (blur, focus, close, parent, opener, length, frames, closed).

Did this work before? No 

Chrome version: 47.0.2526.80  Channel: stable
OS Version: 3.16.0-4-amd64
Flash Version: 

I don't think that this was a vulnerability, but since other browser were acting "better" I decided to report.

Comment 1 by, Jan 25 2016

Labels: Cr-Blink-Bindings
Labels: -Restrict-View-SecurityTeam
I agree that isn't quite enough to warrant being a vulnerability.

The demo is actually kind of cute, but an exploit requires, say, stealing significant data from a non-cooperating parent. :-)
Labels: -Type-Bug-Security Type-Bug
Status: Assigned
Confirmed a reproduction.

Status: WontFix (was: Assigned)
We implemented a new cross-origin property access and the issue is no longer happening.

Sign in to add a comment