90267 – KHTML loads javascript from hosts fro which the policy is reject

Bug 90267 - KHTML loads javascript from hosts fro which the policy is reject

Summary: KHTML loads javascript from hosts fro which the policy is reject

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	khtml ecma (show other bugs)
Version:	3.3
Platform:	unspecified Linux

Importance:	NOR grave
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-09-26 14:54 UTC by Anders Lund
Modified:	2005-01-07 13:11 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Anders Lund 2004-09-26 14:54:13 UTC

Version:           3.3 (using KDE 3.3.89 (CVS >= 20040820), compiled sources)
Compiler:          gcc version 3.3.4 20040623 (Gentoo Linux 3.3.4-r1, ssp-3.3.2-2, pie-8.7.6)
OS:                Linux (i686) release 2.6.9-rc1-love1

I have a javascript policy of "reject" for the domain ".adtech.de". However, when a page (on a different domain) has the following code on a page:

 <script language="JavaScript"><!--
var myDate = new Date();
AT_MISC = myDate.getTime();
document.write('<scr' + 'ipt src="http://adserver.adtech.de/?addyn|2.0|323|92676|1|277|target=_blank;loc=100;misc=' + AT_MISC + ';">');
if (navigator.userAgent.indexOf("Mozilla/2.") >= 0 || navigator.userAgent.indexOf("MSIE") >= 0) {
document.write('<a href="http://adserver.adtech.de/?adlink|2.0|323|92676|1|277|ADTECH;loc=200;" target="_blank"><img src="http://adserver.adtech.de/?adserv|2.0|323|92676|1|277|ADTECH;loc=200;" border="0" width="2" height="2" alt="0"></a>');
}
document.write('</scr' + 'ipt>');// -->
</script>

that script will be requested and executed by KHTML.

Comment 1 dschrader 2004-12-15 02:40:40 UTC

In this example, isn't the javascript technically not from adtech.de? The links certainly reference it, but the javascript itself isn't actually *from* adtech.de, so is this behavior should be expected, right? I mean, no javascript from adtech.de is being executed which is what is supposed to happen.

Comment 2 Anders Lund 2004-12-15 03:01:49 UTC

This is a typical example: The script prints a new SCRIPT element to the page, 
which again fetches a script located at adtech.de. It is *that* script that 
should not be fetched. But it is, and it is also executed.

I have earlier sent this patch to kfm-devel, which would actually fix it:

Index: loader.cpp
===================================================================
RCS file: /home/kde/kdelibs/khtml/misc/loader.cpp,v
retrieving revision 1.178
diff -u -u -b -B -r1.178 loader.cpp
--- loader.cpp  12 Nov 2004 00:02:21 -0000      1.178
+++ loader.cpp  7 Dec 2004 11:31:22 -0000
@@ -974,6 +974,8 @@
 CachedScript *DocLoader::requestScript( const DOM::DOMString &url, const 
QString& charset)
 {
     DOCLOADER_SECCHECK(true);
+    if ( ! 
KHTMLFactory::defaultHTMLSettings()->isJavaScriptEnabled(fullURL.host()) )
+       return 0L;
 
     CachedScript* s = Cache::requestObject<CachedScript, 
CachedObject::Script>( this, fullURL, 0 );
     if ( s )

Comment 3 Anders Lund 2005-01-07 13:11:51 UTC

CVS commit by alund: 

Do not load javascript from unwanted sources.
Approved by David Faure.
BUG: 90267


  M +10 -8     loader.cpp   1.180


--- kdelibs/khtml/misc/loader.cpp  #1.179:1.180
@@ -977,4 +977,6 @@ CachedScript *DocLoader::requestScript( 
 {
     DOCLOADER_SECCHECK(true);
+    if ( ! KHTMLFactory::defaultHTMLSettings()->isJavaScriptEnabled(fullURL.host()) )
+        return 0L;
 
     CachedScript* s = Cache::requestObject<CachedScript, CachedObject::Script>( this, fullURL, 0 );