Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security checks in navigate are racy and hence broken #2591

Open
bzbarsky opened this issue Apr 26, 2017 · 2 comments

Comments

@bzbarsky
Copy link
Collaborator

commented Apr 26, 2017

https://html.spec.whatwg.org/#navigate step 12 in the javascript: case, substep 1 does a check that involves the "source browsing context's active document's origin".

Unfortunately, this need not match the origin that browsing context had when the navigation started, because this step is running off a task. So in a browser that implements the spec as written you get a security hole: if you target a javascript: load at a cross-origin site just as you're being unloaded due to navigation to that same cross-origin site you get XSS.

I know there are existing bugs on the "source browsing context" thing being a bit wonky, but given that I know there are implementations attempting to align with the HTML spec on the navigation algorithm, or even implementing directly from the spec, it would be good to at least have a note here or something explicitly calling out the fact that the spec should not be implemented as-is.

// cc @asajeffrey @cbrewster

@annevk

This comment has been minimized.

Copy link
Member

commented Apr 27, 2017

Created #2601 to add issue markers.

domenic added a commit that referenced this issue Apr 27, 2017
inikulin added a commit to HTMLParseErrorWG/html that referenced this issue May 9, 2017
inikulin added a commit to HTMLParseErrorWG/html that referenced this issue May 9, 2017
alice added a commit to alice/html that referenced this issue Jan 8, 2019
@gterzian

This comment has been minimized.

Copy link
Contributor

commented Jun 7, 2019

The origin concept on the other hand seems to take this into account for "Documents (that are) created as part of the processing for javascript: URLs" in stating that their origins are determined by taking "The origin of the active document of the browsing context being navigated when the navigate algorithm was invoked."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.