Issue metadata
Sign in to add a comment
|
Security: Read cookies from cross-domain frame
Reported by
xiaopig...@gmail.com,
Jan 16 2018
|
||||||||||||||||||||
Issue descriptionvim poc.html <iframe src="http://xiaopigfly.com/" onload="alert(frames[0].document.cookie)"> You need to visit http: //ip/poc.html (poc.html on the server) you can look pic: WX20180116-151238@2x.png and than you can look WX20180116-151555@2x.png Safari is error Normally not allowed to do so, and ip different ports can also cross-domain in chrome VERSION Chrome Version: 63.0.3239.132 Operating System: macOS
,
Jan 16 2018
example.com need A resolution to the server, use this server ip4 address to access poc.html
,
Jan 16 2018
In Chrome 64 and Chrome 65 visiting http://47.52.62.66/poc1.html shows
Uncaught DOMException: Blocked a frame with origin "http://47.52.62.66" from accessing a cross-origin frame.
at HTMLIFrameElement.onload (http://47.52.62.66/poc1.html:1:96)
Unfortunately, I don't have a Chrome 63 instance any longer.
,
Jan 16 2018
I wasn't able to reproduce this on Windows Chrome 63.
,
Jan 16 2018
Is macOS system chrome 63
,
Jan 16 2018
Very strange, I also suggested in another macOS not cross-domain, but I have allowed cross-domain from another computer!
,
Jan 16 2018
I am not sure exactly what caused this
,
Jan 17 2018
On Chrome M63 on Mac, visiting the URL in #3 shows the same result as in #3:
Uncaught DOMException: Blocked a frame with origin "http://47.52.62.66" from accessing a cross-origin frame.
at HTMLIFrameElement.onload (http://47.52.62.66/poc1.html:1:96)
I'm marking as WontFix. If you have a new working repro, please file another bug. Thanks.
,
Apr 25 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by xiaopig...@gmail.com
, Jan 16 2018154 KB
154 KB View Download