Comment #1 on issue 5053 by [EMAIL PROTECTED]:
LayoutTests/fast/frames/cross-site-this.html fails
http://code.google.com/p/chromium/issues/detail?id=5053
I spent some time going through
LayoutTests/http/tests/security/dataURL/xss-DENIED-from-data-url-sub-frame-to-data-url-sub-frame.html,
and I believe that there's quite a bit of problems with how we handle
windows and
iframes, though I don't know what to do about it.
In the case of all the xss-DENIED-from-data-url-* cases that we're failing,
we have
an access check in 'bool V8Proxy::CanAccessFrame(Frame* target, bool
report_error)'
and 'bool V8Proxy::CanAccessPrivate(DOMWindow* target_window)', which
perform a first
level security check to see if their DOMWindows are the same. The problem
with this
check in CanAccessPrivate is that it believes that the DOMWindows are
equivalent, and
this is where I come back to brettw's issue.
It appears that it's just consulting the current global context to figure
out the
containing window ('DOMWindow*
V8Proxy::retrieveWindow(v8::Handle<v8::Context>
context)' and 'DOMWindow* V8Proxy::retrieveWindow()'). The results would be
wrong
(and are) if the this is wrong.
I just wanted to throw out this observation, as I think the root cause is
affecting
numerous tests here.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Chromium-bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/chromium-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---
