[EMAIL PROTECTED] wrote:
>
> http://lxr.mozilla.org/seamonkey/source/dom/public/nsDOMPropNames.h
>
> lists those objects subject to same-origin checks.
> Should "window.frames" be listed here? If this is overridden by
> modifying all.js with the following line:
>
> pref("capability.policy.default.window.frames", "allAccess");
>
> then sibling frames can access one another across a parent frame with a
> different domain exposing only the frames array ( allowing for sites to
> do checks like top.frames.length to escape being framed ) which poses
> no security vulnerability. I have not posted a bug on bugzila yet as I
> am waiting for confirmaiton that this limitation is not intentional.
> If it is intentional then I think that it should be re-thought since
> the cross-domain security policy has always been based on limiting
> access to documents from different domains, the window objects
> themselves should be fair game except where the window properties
> expose information about the document, such as read access to
> window.location. The window objects of a window ( frames ) should be
> accessible themselves and their properties limited by the afore
> mentioned document construct. The frames array and accessing a window
> object reveals no information about the document or content that is
> meaningful or potentially insecure.
This question would be best re-posted to netscape.public.mozilla.security,
possibly cross-posted to the .dom group.
-Dan Veditz
