Opened 12 years ago

Closed 12 years ago

#4378 closed defect (fixed)

IE6 Security Problem with NodeList and document.domain

Reported by: guest Owned by: alex
Priority: high Milestone: 1.0
Component: Core Version: 0.9
Keywords: Cc: mavrukin@…; ibolotin@…
Blocked By: Blocking:

Description

In our development we have come across a security issue when document.domain is altered when the page is loaded. Later on when Dojo is loaded, the NodeList? methods that extend the Array class use window.createPopup. This method call has a security issue as described here:

http://msdn2.microsoft.com/en-us/library/ms536392.aspx

Most discussions online suggest the use of an iframe instead of a popup window. Furthermore, there is an issue with using popup is that Service Pack 2 of Windows XP specifically prohibits having more than 1 popup window in a page, thus if there already exists one, this call would fail as well.

Change History (7)

comment:1 Changed 12 years ago by guest

After some work, we have come across the following workaround, which requires us now to generate a custom build of dojo, since we can't make these changes in the AOL hosted version:

Inside of the NodeList?.js file, where the check for IE is performed

if(d.isIE) { ... }

Add the following code before popup creation:

var tmpDomain = document.domain; document.domain = window.location.host;

After the popup.show call is executed (we don't care about the domain information), return the domain to its previous state.

document.domain = tmpDomain;

comment:2 Changed 12 years ago by James Burke

FYI: setting document.domain can be used as part of a DNS rebinding attack. See the paper at this site: http://crypto.stanford.edu/dns/

I suggest we do not use a document.domain fix for the toolkit code.

comment:3 Changed 12 years ago by James Burke

Milestone: 1.0
Owner: changed from anonymous to alex

comment:4 Changed 12 years ago by tk

This is a problem in IE7 as well... Oddly enough, my popup blocker was "off" and once I turned it on, the warnings stopped coming...

-Karl

comment:5 in reply to:  4 Changed 12 years ago by tk

Replying to tk:

This is a problem in IE7 as well... Oddly enough, my popup blocker was "off" and once I turned it on, the warnings stopped coming...

-Karl

And it started a few minutes after... so yah, IE7 still has this problem, and I even have * and *.dojotoolkit.org in the allowed lists...

comment:6 Changed 12 years ago by James Burke

Not sure if this helps with debugging/reproducing, but this comment was left on the forums:

"I consistently get the error every time a page containing dojo 0.9 is loaded in a tab that is not the currently active one. If I then switch to the tab after the popup blocker has come up, and hit refresh (while keeping the tab active) the page loads fine."

comment:7 Changed 12 years ago by alex

Resolution: fixed
Status: newclosed

(In [11044]) Fixes #4821. Fixes #4378. Now NodeLists? are just arrays augmented with extra methods. splice() and slice() are still oddballs, but will be fixed shortly (in the same manner).

Note: See TracTickets for help on using tickets.