Browser Frame Injection Vulnerability, review needed

David Faure faure at kde.org
Fri Jul 9 14:19:17 BST 2004


On Friday 09 July 2004 13:11, Germain Garand wrote:
> Le Mercredi 07 Juillet 2004 20:24, Waldo Bastian a écrit :
> > Hi,
> >
> > There was a frame vulnerability reported last week, we have some patches
> > floating around at http://bugs.kde.org/show_bug.cgi?id=84352
> > Some feedback on those would be nice.
> 
> > In particular it seems that frames
> > inherit their "domain" from the toplevel loading frameset. I would expect
> > that it would inherit its domain from its loading frameset, but not from
> > the frameset's frameset, as seems to be the case. Is that a bug or is there
> > a reason why that is as it is?
> 
> the comment about that in KHTMLPart::slotChildDocCreated()
> isn't really clear...
> A frameset is just a box in the current document. So there's not even such a 
> thing as a "frameset's domain", is there?
Well it was loaded from a url, and its domain can be set by javascript too, no?

> FWIW, removing the connection to this slot makes KHTML match other browsers 
> behaviour with regard to the reported domain.
> David, can you comment on this?
No. Last time I thought I understood this stuff, Dirk proved me wrong.
The comment and the two bug reports linked from that method should provide 
some hindsight though...

-- 
David Faure, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).




More information about the kfm-devel mailing list