[prev in list] [next in list] [prev in thread] [next in thread] 

List:       konq-bugs
Subject:    [Bug 235468] New: Update same-origin policy for XMLHTTPRequest()s
From:       Tomas Hoger <thoger () pobox ! sk>
Date:       2010-04-26 17:08:53
Message-ID: bug-235468-5021 () http ! bugs ! kde ! org/
[Download RAW message or body]

https://bugs.kde.org/show_bug.cgi?id=235468

           Summary: Update same-origin policy for XMLHTTPRequest()s from
                    local files
           Product: konqueror
           Version: unspecified
          Platform: Fedora RPMs
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
        AssignedTo: konq-bugs@kde.org
        ReportedBy: thoger@pobox.sk


Version:            (using KDE 4.4.2)
OS:                Linux
Installed from:    Fedora RPMs

Current same-origin policy in khtml allows XMLHTTPRequest()s from local files
to arbitrary http/https/webdav sites.  This has security implications and is
inconsistent with other html engines (gecko, webkit) and even with other
similar cases where khtml does not allow cross-domain access.

The problem was reported by Tim Brown and covered by:
  http://www.ocert.org/advisories/ocert-2009-015.html

In response to that, the patch was applied that only allows http* and webdav*
protocols in XHR, and KDE advisory was published:
  http://websvn.kde.org/?view=revision&revision=1035538
  http://www.kde.org/info/security/advisory-20091027-1.txt

However, with the fix applied, javascript in local file can still access
arbitrary http* URLs and hence can be used to "steal" data from user's
authenticated sessions to some internet site, or some internal intranet web
sites, and post them to other remote host.

Is there a reason to not drop "a local file can load anything" privilege?  Any
use case that may get broken by such fix?  It seems previous fix already bit
some users:
  http://forum.kde.org/viewtopic.php?f=18&t=83649

Here is what other browsers / engines do with XHR from local files:
- firefox - allows file:// requests, only to current directory /
sub-directories; http:// access not allowed
- webkit - allows file:// access, but not remote
- chromium - recent versions seem to block file:// completely

-- 
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
_______________________________________________
Konq-bugs mailing list
Konq-bugs@mail.kde.org
https://mail.kde.org/mailman/listinfo/konq-bugs
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic