[prev in list] [next in list] [prev in thread] [next in thread]
List: konq-bugs
Subject: [Bug 235468] New: Update same-origin policy for XMLHTTPRequest()s
From: Tomas Hoger <thoger () pobox ! sk>
Date: 2010-04-26 17:08:53
Message-ID: bug-235468-5021 () http ! bugs ! kde ! org/
[Download RAW message or body]
https://bugs.kde.org/show_bug.cgi?id=235468
Summary: Update same-origin policy for XMLHTTPRequest()s from
local files
Product: konqueror
Version: unspecified
Platform: Fedora RPMs
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
AssignedTo: konq-bugs@kde.org
ReportedBy: thoger@pobox.sk
Version: (using KDE 4.4.2)
OS: Linux
Installed from: Fedora RPMs
Current same-origin policy in khtml allows XMLHTTPRequest()s from local files
to arbitrary http/https/webdav sites. This has security implications and is
inconsistent with other html engines (gecko, webkit) and even with other
similar cases where khtml does not allow cross-domain access.
The problem was reported by Tim Brown and covered by:
http://www.ocert.org/advisories/ocert-2009-015.html
In response to that, the patch was applied that only allows http* and webdav*
protocols in XHR, and KDE advisory was published:
http://websvn.kde.org/?view=revision&revision=1035538
http://www.kde.org/info/security/advisory-20091027-1.txt
However, with the fix applied, javascript in local file can still access
arbitrary http* URLs and hence can be used to "steal" data from user's
authenticated sessions to some internet site, or some internal intranet web
sites, and post them to other remote host.
Is there a reason to not drop "a local file can load anything" privilege? Any
use case that may get broken by such fix? It seems previous fix already bit
some users:
http://forum.kde.org/viewtopic.php?f=18&t=83649
Here is what other browsers / engines do with XHR from local files:
- firefox - allows file:// requests, only to current directory /
sub-directories; http:// access not allowed
- webkit - allows file:// access, but not remote
- chromium - recent versions seem to block file:// completely
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
_______________________________________________
Konq-bugs mailing list
Konq-bugs@mail.kde.org
https://mail.kde.org/mailman/listinfo/konq-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic