Relaxing XSS checks

[Harri Porten]

On Sat, 30 Apr 2005, Harri Porten wrote:

> I'm hesitant to touch the window.location check as I don't know what
> motivation was behind the check that was added. It should at least be
> possible to set the location.href property. But it would be great if
> anyone (Dirk?) could share his knowledge about how the location object is
> really supposed to be protected.

I have attached the patch that I'd like to apply. It makes an exception of
the checks for setting the location.href property. For normal windows I
would consider this to be safe (and in accordance with e.g. Mozilla). I
just wonder whether existance of frames might be a different story.

Harri.
-------------- next part --------------
Index: ecma/kjs_window.cpp
===================================================================
RCS file: /home/kde/kdelibs/khtml/ecma/kjs_window.cpp,v
retrieving revision 1.396.2.2
diff -u -3 -p -r1.396.2.2 kjs_window.cpp
--- ecma/kjs_window.cpp	30 Apr 2005 10:14:44 -0000	1.396.2.2
+++ ecma/kjs_window.cpp	30 Apr 2005 12:22:22 -0000
@@ -2100,14 +2100,18 @@ void Location::put(ExecState *exec, cons
   if (m_frame.isNull() || m_frame->m_part.isNull())
     return;
 
-  // XSS check
   const Window* window = Window::retrieveWindow( m_frame->m_part );
-  if ( !window || !window->isSafeScript(exec) )
+  if ( !window )
+    return;
+
+  const HashEntry *entry = Lookup::findEntry(&LocationTable, p);
+
+  // XSS check. Only new hrefs can be set from other sites
+  if (entry->value != Href && !window->isSafeScript(exec))
     return;
 
   QString str = v.toString(exec).qstring();
   KURL url = m_frame->m_part->url();
-  const HashEntry *entry = Lookup::findEntry(&LocationTable, p);
   if (entry)
     switch (entry->value) {
     case Href: {