Google Suggest

[Darin Adler]

On Apr 29, 2005, at 3:40 AM, Allan Sandfeld Jensen wrote:

> On Thursday 28 April 2005 01:15, Darin Adler wrote:
>
>> On Apr 27, 2005, at 2:54 AM, Allan Sandfeld Jensen wrote:
>>
>>> Oops. I gave you the wrong version of the patch, but it can still
>>> be done a
>>> lot simpler than you do. Here is the current version:
>>>
>>>     case FrameElement:
>>>       if (m_frame->m_frame)
>>>         return getDOMNode(exec,m_frame->m_frame->element());
>>>       else
>>>         return Undefined();
>>
>> That looks good, although we can't use it in our tree because we
>> haven't made the change to how frames work that you have.
>>
>> But it's missing a security check. I believe it needs an isSafeScript
>> call.
>
> I was not sure about that. The current script is already tested with
> isSafeScript which means it is the same domain as the parent  
> script. The
> extra test you make tests if the parent is the same domain as the  
> current, so
> it is redundant?

As I understand it, the problem is that this gives you an element in  
the parent frame, not your own frame. The parent frame is not  
necessarily in the same domain as your frame. If you tried to get,  
for example, the document element of the parent frame with  
parent.document, you could get the parent without a check, but trying  
to get the document would have an isSafeScript check. Going straight  
to an element inside the parent effectively bypasses this. For  
example, you could just do parent.frameElement.ownerDocument and,  
voila, you've bypassed the normal cross-domain security.

I'll be creating a test case for this soon, which should demonstrate  
the issue pretty clearly. I landed an earlier version of this fix  
without the security check, and it was others on the Safari team who  
noticed that I got it wrong.

     -- Darin