Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix javascript: URL origin security check #6801

Merged
merged 2 commits into from
Jun 25, 2021
Merged

Fix javascript: URL origin security check #6801

merged 2 commits into from
Jun 25, 2021

Conversation

domenic
Copy link
Member

@domenic domenic commented Jun 23, 2021
edited by pr-preview bot
Loading

This makes it non-racy by taking the origin snapshotted at the top of the navigation algorithm. It also switches to same origin-domain, which is more reasonable since if you have synchronous access to the document then you can just run JavaScript directly in it anyway. Fixes #2591. Helps with #1130. See #6514 for related investigation.

(See WHATWG Working Mode: Changes for more details.)

/browsing-the-web.html ( diff )

@domenic
Fix javascript: URL origin security check
77dd443 
This makes it non-racy by taking the origin snapshotted at the top of the navigation algorithm. Fixes #2591. Helps with #1130. See #6514 for related investigation.
@domenic domenic added topic: navigation security/privacy There are security or privacy implications topic: javascript: URLs labels Jun 23, 2021
@domenic domenic requested a review from annevk June 23, 2021 22:55
@domenic domenic mentioned this pull request Jun 23, 2021
Merged
@annevk
Copy link
Member

annevk commented Jun 25, 2021

From your tests I get the impression the browsers do the opposite of what you assert. You can only get a same origin-domain match if both sides have set document.domain.

@domenic
Copy link
Member Author

domenic commented Jun 25, 2021

You are totally right. Let me change the check to same origin-domain then.

@domenic
Copy link
Member Author

domenic commented Jun 25, 2021

(In particular same origin-domain makes more sense here anyway, since if you have synchronous access to the document then you can just run JS in it directly.)

@domenic domenic merged commit 477bd71 into main Jun 25, 2021
@domenic domenic deleted the js-url-origin-check branch June 25, 2021 17:47
domenic added a commit to web-platform-tests/wpt that referenced this pull request Jun 25, 2021
@domenic
Test the javascript: URL security check
da61c71 
Follows whatwg/html#6801.
@domenic domenic mentioned this pull request Jun 25, 2021
Closed
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Jun 27, 2021
@domenic @moz-wptsync-bot
Bug 1717950 [wpt PR 29468] - Test the javascript: URL security check,…
b8e745f 
… a=testonly

Automatic update from web-platform-tests
Test the javascript: URL security check

Follows whatwg/html#6801.
--

wpt-commits: da61c71b9417336421d5b0f8b8973a7225d5815b
wpt-pr: 29468
jamienicol pushed a commit to jamienicol/gecko that referenced this pull request Jul 16, 2021
@domenic @moz-wptsync-bot
Bug 1717950 [wpt PR 29468] - Test the javascript: URL security check,…
9eb1242 
… a=testonly

Automatic update from web-platform-tests
Test the javascript: URL security check

Follows whatwg/html#6801.
--

wpt-commits: da61c71b9417336421d5b0f8b8973a7225d5815b
wpt-pr: 29468
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
security/privacy There are security or privacy implications topic: javascript: URLs topic: navigation
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security checks in navigate are racy and hence broken
2 participants
@domenic @annevk