non-secure context https iframe can open secure context window
Reported by
olli.pet...@gmail.com,
Sep 23 2016
|
|||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Example URL: Steps to reproduce the problem: Do what example 9 in https://w3c.github.io/webappsec-secure-contexts/ explains. The newly opened window object has window.isSecureContext true, but the opener has window.w.isSecureContext false. What is the expected behavior? Both should be false What went wrong? opened window has isSecureContext true. Does it occur on multiple sites: N/A Is it a problem with a plugin? N/A Did this work before? N/A Does this work in other browsers? N/A Chrome version: Channel: n/a OS Version: Flash Version:
,
Sep 23 2016
s/opener has window.w.isSecureContext/opener has window.isSecureContext/
,
Sep 24 2016
Hmm, it is not example 9, since this isn't about worker, but opening a new window. So, the testcase is to have http top level page from origin A, it has iframe which has page from https domain B, and then in that iframe one does var w = window.open(location.href); The window object inside iframe has isSecureContext == false, but the newly opened window has isSecureContext == true. And the newly opened window and iframe window can access each others.
,
Nov 16 2016
Mike, can you help triage this?
,
Nov 16 2016
,
Nov 17 2016
Sounds like a bug. I'll take a look.
,
Jul 25 2017
,
Jul 25 2017
Issue 748523 has been merged into this issue.
,
Nov 10 2017
,
Feb 18 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by olli.pet...@gmail.com
, Sep 23 2016