Closed
Bug 528663
Opened 15 years ago
Closed 11 years ago
Don't allow access to iframe.contentDocument across domains
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 829872
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: sec-want, Whiteboard: [sg:want P5] [browserscope])
Browserscope deducts points for allowing access to contentDocument across domains: http://www.browserscope.org/security/about http://www.stevesouders.com/blog/2009/11/11/security-tests-added-to-browserscope/ We're actually allowing access to a XOW, but that's probably more than we should be allowing. Jonas Sicking said in an email: "I think we solved [bug 422025] the wrong way. While I don't know of any exploits currently, it's introducing unneccesary complexity into the platform. It's the one case where a page can hold a reference to a node from another domain. We should just make .contentDocument return null for cross-origin frames." Bug 422025 comment 11 explains why we don't want to throw.
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:want P5]
Updated•14 years ago
|
Whiteboard: [sg:want P5] → [sg:want P5] [browserscope]
Reporter | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•