This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 21932 - Primitive-valued dialogArguments should not be visible cross-origin
Summary: Primitive-valued dialogArguments should not be visible cross-origin
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: HTML (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Ian 'Hixie' Hickson
QA Contact: contributor
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 21771
  Show dependency treegraph
 
Reported: 2013-05-06 03:45 UTC by Bobby Holley (:bholley)
Modified: 2013-06-14 18:12 UTC (History)
4 users (show)

See Also:

Attachments

Description Bobby Holley (:bholley) 2013-05-06 03:45:59 UTC 
The spec currently says:

> The dialogArguments IDL attribute, on getting, must check whether its
> browsing context's active document's origin is the same as the dialog
> arguments' origin. If it is, then the browsing context's dialog arguments
> must be returned unchanged. Otherwise, if the dialog arguments are an
> object, then the empty string must be returned, and if the dialog arguments
> are not an object, then the stringification of the dialog arguments must
> be returned.

I wrote a testcase [1] to test a cross-origin and same-origin showModalDialog with |1| as the argument. In Firefox, Chrome, and IE9, the value is undefined cross-origin (Safari and Opera don't appear to implement showModalDialog).

When trying to change Gecko's behavior to match the spec, I broke our test coverage for [2], which strongly suggests that we should keep our current behavior.

[1] http://people.mozilla.com/~bholley/testcases/xomodal.html
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=504862
Comment 1 Bobby Holley (:bholley) 2013-05-06 20:46:43 UTC 
I augmented the test to check return values as well. It appears that a similar origin check is applied to window.returnValue, so looks like we'll have to fix this there as well. :-(
Comment 2 Ian 'Hixie' Hickson 2013-06-07 22:12:30 UTC 
What's the security problem of exposing strings? Adam seemed ok with it in 2009:

   http://lists.w3.org/Archives/Public/public-whatwg-archive/2009Jun/0336.html

Did something change?

Or are strings ok, it's just that nobody implements it and we'd rather not bother making showModalDialog() better?
Comment 3 Bobby Holley (:bholley) 2013-06-07 22:21:29 UTC 
(In reply to comment #2)
> What's the security problem of exposing strings?

Per mozilla bug 504862, it sounds like the concern is more about protecting the openee than the opener. That is to say, if someone wrote a page assuming that dialogArguments came from a trusted source, they those pages could potentially be exploited.

> Or are strings ok, it's just that nobody implements it and we'd rather not
> bother making showModalDialog() better?

I recently reimplemented all our showModalDialog stuff, and I actually tried to follow the spec on this issue and use strings (it made the implementation simpler as well). But I ran afoul of our test coverage for [2], and I figured that it would probably take more than a unilateral decision on my part to determine that this is now ok.
Comment 4 Ian 'Hixie' Hickson 2013-06-14 18:12:42 UTC 
Hm actually the threat to the openee is an interesting point. Even if it's just strings, they could be parsing them in some special way and get screwed.

Ok. Let me know if I missed anything important!
Comment 5 contributor 2013-06-14 18:12:52 UTC 
Checked in as WHATWG revision r7975.
Check-in comment: Make showModalDialog()'s dialogArguments and returnValue only be useful same-origin, to avoid origins attacking each other
http://html5.org/tools/web-apps-tracker?from=7974&to=7975