Closed Bug 903574 Opened 11 years ago Closed 11 years ago

nsGlobalWindow::GetSupportedNames should not go through the outer to get the frame names

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: bzbarsky, Unassigned)

Details

Seems to me like this allows a that's not the current inner to get the list of frame names of the current inner via its own GSP, no?

Most simply, maybe we should just return the empty list if the inner is not current?  Or just get the relevant list of names directly off the inner somehow?
Flags: needinfo?(peterv)
Flags: needinfo?(bobbyholley+bmo)
Group: dom-core-security → core-security
(In reply to Vacation until Aug 19.  Do not ask for review. from comment #0)
> Seems to me like this allows a that's not the current inner to get the list
> of frame names of the current inner via its own GSP, no?

Yes, but is that a security issue? This information ends up in the browsing context tree, and is exposed to cross-origin script via access on |window|. I was under the impression that frame names of the active window were not private.
Flags: needinfo?(bobbyholley+bmo)
Hrm.  Do sites depend on exposing frame names cross-origin?  I thought we wanted to lock this down.....
Flags: needinfo?(bobbyholley+bmo)
(In reply to Vacation until Aug 19.  Do not ask for review. from comment #2)
> Hrm.  Do sites depend on exposing frame names cross-origin?  I thought we
> wanted to lock this down.....

See the spec bug I filed for this: https://www.w3.org/Bugs/Public/show_bug.cgi?id=21674
Flags: needinfo?(bobbyholley+bmo)
Hmm.  It bothers me to leak info cross-site like this, but OK.  I guess we should open up this bug and mark it invalid?
(In reply to Vacation until Aug 19.  Do not ask for review. from comment #4)
> Hmm.  It bothers me to leak info cross-site like this, but OK.  I guess we
> should open up this bug and mark it invalid?

Given the spec bug, I don't think this behavior is a secret.

We could also try disabling it and seeing if it breaks websites if we care enough.
Can we open this up, Bobby?
Flags: needinfo?(bobbyholley+bmo)
(In reply to Andrew McCreight [:mccr8] from comment #6)
> Can we open this up, Bobby?

Yes.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(peterv)
Flags: needinfo?(bobbyholley+bmo)
Resolution: --- → INVALID
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.