Relaxing XSS checks

Harri Porten porten at kde.org
Sat Apr 30 11:28:38 BST 2005


Hi,

bug report http://bugs.kde.org/101178 is about window features that
broke due to strictend cross-site scripting checks.

 http://webcvs.kde.org/kdelibs/khtml/ecma/kjs_window.cpp?r1=1.317&r2=1.318
 http://webcvs.kde.org/kdelibs/khtml/ecma/kjs_window.cpp?r1=1.318&r2=1.319

Crazy that it took 2 years for those problem to be discovered.

I have applied a patch for window.close(). close() always had its own
security semantics so I don't think that the isSafeScript() function
should be used.

I'm hesitant to touch the window.location check as I don't know what
motivation was behind the check that was added. It should at least be
possible to set the location.href property. But it would be great if
anyone (Dirk?) could share his knowledge about how the location object is
really supposed to be protected.

Thanks,

Harri.





More information about the kfm-devel mailing list