Closed Bug 528663 Opened 15 years ago Closed 11 years ago

Don't allow access to iframe.contentDocument across domains

Categories

(Core :: Security, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 829872

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: sec-want, Whiteboard: [sg:want P5] [browserscope])

Browserscope deducts points for allowing access to contentDocument across domains:
http://www.browserscope.org/security/about
http://www.stevesouders.com/blog/2009/11/11/security-tests-added-to-browserscope/

We're actually allowing access to a XOW, but that's probably more than we should be allowing.

Jonas Sicking said in an email:

"I think we solved [bug 422025] the wrong way. While I don't know of
any exploits currently, it's introducing unneccesary complexity into
the platform. It's the one case where a page can hold a reference to a
node from another domain. We should just make .contentDocument return
null for cross-origin frames."

Bug 422025 comment 11 explains why we don't want to throw.
Whiteboard: [sg:want P5]
Whiteboard: [sg:want P5] → [sg:want P5] [browserscope]
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.