WebCore:
authorweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Dec 2007 22:39:51 +0000 (22:39 +0000)
committerweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Dec 2007 22:39:51 +0000 (22:39 +0000)
commit72154421162d0f82e3afd3ec30f42b43c5e29918
tree788eb00e0e6097f167a6dba1e441b3f1430fa873
parent2186d5f3c8eef6915519235d1ed73e7d652dd2a2
WebCore:

        Reviewed and landed by Sam Weinig.

        http://bugs.webkit.org/show_bug.cgi?id=15313
        <rdar://problem/5514516>

        The same-origin check was incorrect in two cases (both fixed in this
        patch):

        A) If both the source and the target have set their document.domain
           to the same value, the protocol must also match in order for
           access to be allowed.  Without this requirement, the browser is
           vulnerable to the following attack:

           1) Suppose there is an HTTPS site (www.example.com) that sets
              document.domain = "example.com".
           2) A network attacker redirects the browser to http://www.example.com/
              a) injects script to set document.domain = "example.com", and
              b) opens a window to https://www.example.com/
           3) Now the network attacker can inject script into the HTTPS page,
              stealing cookies and issuing banking transactions.

        B) If only one of the source and target has set document.domain, then
           access should be denied.  With this behavior, the browser is
           vulnerable to the following attack:

           1) Suppose http://foo.example.com/ opens an iframe to
              http://foo.example.com/frame.html that
              a) sets document.domain = "example.com", and
              b) opens an iframe to http://bar.example.com/
              This is a common usage of document.domain for cross-domain
              communication, see for example:
                http://www.collinjackson.com/research/papers/fp801-jackson.pdf
           2) The inner-most iframe, which is from bar.example.com, sets
              document.domain = "example.com".
           3) Now the inner-most iframe can inject script into the middle
              iframe (say via document.write).  This bar.example.com script
              now has access to the outer-most frame (from foo.example.com).

        Both these changes cause WebKit to match the behavior of Firefox 2 and
        IE6 in these cases.  This patch includes regression tests for both
        issues.

        Internet Explorer 7 and Opera 9 are more strict in that they require
        the port numbers to match when both pages have document.domain set.
        Opera 9 allows access when only one page has set document.domain, but
        this is a security vulnerability.

        Tests: http/tests/security/cross-frame-access-child-explicit-domain.html
               http/tests/security/cross-frame-access-parent-explicit-domain.html

        * bindings/js/kjs_window.cpp:
        (KJS::createWindow):
        (KJS::Window::allowsAccessFrom):
        * dom/Document.cpp:
        (WebCore::Document::domain):
        (WebCore::Document::setDomain):
        (WebCore::Document::initSecurityOrigin):
        * dom/Document.h:
        (WebCore::Document::securityOrigin):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::begin):
        (WebCore::FrameLoader::checkCallImplicitClose):
        (WebCore::FrameLoader::shouldAllowNavigation):
        * platform/SecurityOrigin.cpp:
        (WebCore::SecurityOrigin::setForURL):
        (WebCore::SecurityOrigin::createForFrame):
        (WebCore::SecurityOrigin::canAccess):
        * platform/SecurityOrigin.h:
        (WebCore::SecurityOrigin::domain):
        * storage/Database.cpp:
        (WebCore::Database::openDatabase):
        (WebCore::Database::Database):
        (WebCore::Database::securityOriginData):
        * storage/Database.h:
        (WebCore::Database::databaseDebugName):
        * storage/DatabaseTracker.cpp:
        (WebCore::DatabaseTracker::canEstablishDatabase):
        * storage/SQLTransaction.cpp:
        (WebCore::SQLTransaction::postflightAndCommit):
        (WebCore::SQLTransaction::cleanupAfterTransactionErrorCallback):

LayoutTests:

        Reviewed and landed by Sam Weinig.

        Update LayoutTests for http://bugs.webkit.org/show_bug.cgi?id=15313

        * http/tests/security/cross-frame-access-child-explicit-domain-expected.txt: Added.
        * http/tests/security/cross-frame-access-child-explicit-domain.html: Added.
        * http/tests/security/cross-frame-access-custom-expected.txt:
        * http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt: Added.
        * http/tests/security/cross-frame-access-parent-explicit-domain.html: Added.
        * http/tests/security/cross-frame-access-port-explicit-domain-expected.txt:
        * http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt:
        * http/tests/security/cross-frame-access-protocol-explicit-domain.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28912 268f45cc-cd09-0410-ab3c-d52691b4dbfc
20 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-frame-access-child-explicit-domain.html [new file with mode: 0644]
LayoutTests/http/tests/security/cross-frame-access-custom-expected.txt
LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/cross-frame-access-parent-explicit-domain.html [new file with mode: 0644]
LayoutTests/http/tests/security/cross-frame-access-port-explicit-domain-expected.txt
LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain-expected.txt
LayoutTests/http/tests/security/cross-frame-access-protocol-explicit-domain.html
WebCore/ChangeLog
WebCore/bindings/js/kjs_window.cpp
WebCore/dom/Document.cpp
WebCore/dom/Document.h
WebCore/loader/FrameLoader.cpp
WebCore/platform/SecurityOrigin.cpp
WebCore/platform/SecurityOrigin.h
WebCore/storage/Database.cpp
WebCore/storage/Database.h
WebCore/storage/DatabaseTracker.cpp
WebCore/storage/SQLTransaction.cpp