New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security checks in navigate are racy and hence broken #2591

bzbarsky opened this Issue Apr 26, 2017 · 1 comment


3 participants

bzbarsky commented Apr 26, 2017 step 12 in the javascript: case, substep 1 does a check that involves the "source browsing context's active document's origin".

Unfortunately, this need not match the origin that browsing context had when the navigation started, because this step is running off a task. So in a browser that implements the spec as written you get a security hole: if you target a javascript: load at a cross-origin site just as you're being unloaded due to navigation to that same cross-origin site you get XSS.

I know there are existing bugs on the "source browsing context" thing being a bit wonky, but given that I know there are implementations attempting to align with the HTML spec on the navigation algorithm, or even implementing directly from the spec, it would be good to at least have a note here or something explicitly calling out the fact that the spec should not be implemented as-is.

// cc @asajeffrey @cbrewster


This comment has been minimized.

Show comment
Hide comment

annevk Apr 27, 2017


Created #2601 to add issue markers.


annevk commented Apr 27, 2017

Created #2601 to add issue markers.

domenic added a commit that referenced this issue Apr 27, 2017

inikulin added a commit to HTMLParseErrorWG/html that referenced this issue May 9, 2017

inikulin added a commit to HTMLParseErrorWG/html that referenced this issue May 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment