If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Don't allow access to iframe.contentDocument across domains

RESOLVED DUPLICATE of bug 829872

Status

()

Core
Security
RESOLVED DUPLICATE of bug 829872
8 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

({sec-want})

Trunk
x86
Mac OS X
sec-want
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want P5] [browserscope])

(Reporter)

Description

8 years ago
Browserscope deducts points for allowing access to contentDocument across domains:
http://www.browserscope.org/security/about
http://www.stevesouders.com/blog/2009/11/11/security-tests-added-to-browserscope/

We're actually allowing access to a XOW, but that's probably more than we should be allowing.

Jonas Sicking said in an email:

"I think we solved [bug 422025] the wrong way. While I don't know of
any exploits currently, it's introducing unneccesary complexity into
the platform. It's the one case where a page can hold a reference to a
node from another domain. We should just make .contentDocument return
null for cross-origin frames."

Bug 422025 comment 11 explains why we don't want to throw.
(Reporter)

Updated

8 years ago
Whiteboard: [sg:want P5]

Updated

7 years ago
Whiteboard: [sg:want P5] → [sg:want P5] [browserscope]
Keywords: sec-want
(Reporter)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 829872
You need to log in before you can comment on or make changes to this bug.