[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Browser Frame Injection Vulnerability, review needed
From: Germain Garand <germain () ebooksfrance ! org>
Date: 2004-07-09 11:11:45
Message-ID: 200407091211.45347.germain () ebooksfrance ! org
[Download RAW message or body]
Le Mercredi 07 Juillet 2004 20:24, Waldo Bastian a écrit :
> Hi,
>
> There was a frame vulnerability reported last week, we have some patches
> floating around at http://bugs.kde.org/show_bug.cgi?id=84352
> Some feedback on those would be nice.
> In particular it seems that frames
> inherit their "domain" from the toplevel loading frameset. I would expect
> that it would inherit its domain from its loading frameset, but not from
> the frameset's frameset, as seems to be the case. Is that a bug or is there
> a reason why that is as it is?
the comment about that in KHTMLPart::slotChildDocCreated()
isn't really clear...
A frameset is just a box in the current document. So there's not even such a
thing as a "frameset's domain", is there?
FWIW, removing the connection to this slot makes KHTML match other browsers
behaviour with regard to the reported domain.
David, can you comment on this?
Greetings,
Germain
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic