Skip to content

Commit 477bd71

Browse files
domenicdomenic
authored
Fix javascript: URL origin security check
This makes it non-racy by taking the origin snapshotted at the top of the navigation algorithm. It also switches to same origin-domain, which is more reasonable since if you have synchronous access to the document then you can just run JavaScript directly in it anyway. Fixes #2591. Helps with #1130. See #6514 for related investigation.
1 parent a6e18b8 commit 477bd71

File tree

1 file changed

+4
-11
lines changed

1 file changed

+4
-11
lines changed

source

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -85949,8 +85949,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
8594985949
<ol>
8595085950
<li><p>Let <var>response</var> be the result of <span data-x="javascript protocol">executing
8595185951
a <code>javascript:</code> URL request</span> given <var>resource</var>,
85952-
<var>navigationType</var>, the <span>source browsing context</span>, and
85953-
<var>browsingContext</var>.</p></li>
85952+
<var>browsingContext</var>, and <var>incumbentNavigationOrigin</var>.</p></li>
8595485953

8595585954
<li><p>Let <var>finalSandboxFlags</var> be the <span data-x="set union">union</span> of
8595685955
<var>browsingContext</var>'s <span data-x="concept-bc-sandboxing-flags">sandboxing
@@ -86524,15 +86523,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
8652486523
<p>If both of the following are true:</p>
8652586524

8652686525
<ul>
86527-
<li>
86528-
<p><var>source</var>'s <span>active document</span>'s <span
86529-
data-x="concept-document-origin">origin</span> is <span>same origin</span> with
86530-
<var>browsingContext</var>'s <span>active document</span>'s <span
86531-
data-x="concept-document-origin">origin</span>.</p>
86532-
86533-
<p class="XXX">As explained in <a href="https://github.com/whatwg/html/issues/2591">issue
86534-
#2591</a> this step does not work and presents a security issue.</p>
86535-
</li>
86526+
<li><p><var>initiatorOrigin</var> is <span>same origin-domain</span> with
86527+
<var>browsingContext</var>'s <span>active document</span>'s <span
86528+
data-x="concept-document-origin">origin</span>.</p></li>
8653686529

8653786530
<li><p>The result of <span>Should navigation request of type be blocked by Content Security
8653886531
Policy?</span> given <var>request</var> and <var>navigationType</var> is "<code

0 commit comments

Comments
 (0)