Closed
Bug 903574
Opened 11 years ago
Closed 11 years ago
nsGlobalWindow::GetSupportedNames should not go through the outer to get the frame names
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: bzbarsky, Unassigned)
Details
Seems to me like this allows a that's not the current inner to get the list of frame names of the current inner via its own GSP, no? Most simply, maybe we should just return the empty list if the inner is not current? Or just get the relevant list of names directly off the inner somehow?
Flags: needinfo?(peterv)
Flags: needinfo?(bobbyholley+bmo)
Reporter | ||
Updated•11 years ago
|
Group: dom-core-security → core-security
Comment 1•11 years ago
|
||
(In reply to Vacation until Aug 19. Do not ask for review. from comment #0) > Seems to me like this allows a that's not the current inner to get the list > of frame names of the current inner via its own GSP, no? Yes, but is that a security issue? This information ends up in the browsing context tree, and is exposed to cross-origin script via access on |window|. I was under the impression that frame names of the active window were not private.
Flags: needinfo?(bobbyholley+bmo)
Reporter | ||
Comment 2•11 years ago
|
||
Hrm. Do sites depend on exposing frame names cross-origin? I thought we wanted to lock this down.....
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(bobbyholley+bmo)
Comment 3•11 years ago
|
||
(In reply to Vacation until Aug 19. Do not ask for review. from comment #2) > Hrm. Do sites depend on exposing frame names cross-origin? I thought we > wanted to lock this down..... See the spec bug I filed for this: https://www.w3.org/Bugs/Public/show_bug.cgi?id=21674
Flags: needinfo?(bobbyholley+bmo)
Reporter | ||
Comment 4•11 years ago
|
||
Hmm. It bothers me to leak info cross-site like this, but OK. I guess we should open up this bug and mark it invalid?
Comment 5•11 years ago
|
||
(In reply to Vacation until Aug 19. Do not ask for review. from comment #4) > Hmm. It bothers me to leak info cross-site like this, but OK. I guess we > should open up this bug and mark it invalid? Given the spec bug, I don't think this behavior is a secret. We could also try disabling it and seeing if it breaks websites if we care enough.
Comment 7•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #6) > Can we open this up, Bobby? Yes.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(peterv)
Flags: needinfo?(bobbyholley+bmo)
Resolution: --- → INVALID
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•