Skip to content

Commit

Permalink
Fix javascript: URL origin security check
Browse files Browse the repository at this point in the history 
This makes it non-racy by taking the origin snapshotted at the top of the navigation algorithm. It also switches to same origin-domain, which is more reasonable since if you have synchronous access to the document then you can just run JavaScript directly in it anyway. Fixes whatwg#2591. Helps with whatwg#1130. See whatwg#6514 for related investigation.
  • Loading branch information
@domenic @mfreed7
domenic authored and mfreed7 committed Jun 3, 2022
1 parent 551a515 commit 7058a24
Showing 1 changed file with 4 additions and 11 deletions.
15 changes: 4 additions & 11 deletions source
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85952,8 +85952,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
<ol>
<li><p>Let <var>response</var> be the result of <span data-x="javascript protocol">executing
a <code>javascript:</code> URL request</span> given <var>resource</var>,
<var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>.</p></li>
<var>browsingContext</var>, and <var>incumbentNavigationOrigin</var>.</p></li>

<li><p>Let <var>finalSandboxFlags</var> be the <span data-x="set union">union</span> of
<var>browsingContext</var>'s <span data-x="concept-bc-sandboxing-flags">sandboxing
Expand Down Expand Up @@ -86527,15 +86526,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
<p>If both of the following are true:</p>

<ul>
<li>
<p><var>source</var>'s <span>active document</span>'s <span
data-x="concept-document-origin">origin</span> is <span>same origin</span> with
<var>browsingContext</var>'s <span>active document</span>'s <span
data-x="concept-document-origin">origin</span>.</p>

<p class="XXX">As explained in <a href="https://github.com/whatwg/html/issues/2591">issue
#2591</a> this step does not work and presents a security issue.</p>
</li>
<li><p><var>initiatorOrigin</var> is <span>same origin-domain</span> with
<var>browsingContext</var>'s <span>active document</span>'s <span
data-x="concept-document-origin">origin</span>.</p></li>

<li><p>The result of <span>Should navigation request of type be blocked by Content Security
Policy?</span> given <var>request</var> and <var>navigationType</var> is "<code
Expand Down

0 comments on commit 7058a24

Please sign in to comment.