document.open() security origin aliasing fix

cbbbc03

Source/WebCore/dom/Document.cpp

-    if (callerDocument)
-        setSecurityOriginPolicy(callerDocument->securityOriginPolicy());
+    // Each document retains its own origin; same-origin is enforced by the
+    // check at the top of this function, not by sharing the origin object.

SecurityOrigin is WebKit's authoritative object for same-origin policy enforcement — it determines what resources a document can access. SecurityOriginPolicy wraps and owns a SecurityOrigin and is attached to each document. Normally, every document has its own independent SecurityOriginPolicy. document.open() reinitializes a document's content but is not supposed to change origin ownership.

The bug was that Document::open() called setSecurityOriginPolicy() with the caller document's policy object, creating a shared reference. Because document.domain writes mutate the underlying SecurityOrigin in place, changes on the caller silently reflected on the callee — without any explicit cross-document operation.

Before:
  CallerDoc ──► SecurityOriginPolicy ◄── CalleeDoc   (shared object)
                      │
               SecurityOrigin
          document.domain = 'x'   ← mutation visible through BOTH handles

After:
  CallerDoc ──► SecurityOriginPolicy     CalleeDoc ──► SecurityOriginPolicy
                      │                                       │
               SecurityOrigin (A)                    SecurityOrigin (B)
          document.domain = 'x'                  (unaffected, independent)

The fix is a one-line removal: the setSecurityOriginPolicy() call is deleted. Same-origin enforcement relies on the check at the top of Document::open(), not on sharing the origin object. This matches the HTML spec and the behavior of Gecko and Blink.

Significance

This was a same-origin policy boundary violation: a caller could mutate its own document.domain and have that mutation silently propagate to a document it had opened, because they shared a single SecurityOrigin instance. The aliasing meant that document.domain relaxation — already a deprecated and dangerous feature — had an even wider blast radius than intended, crossing document boundaries through a shared mutable reference.

Audit directions

Aaa Aaa Aaaaaa Aa Aaa Aaaaaaaaaaa Aaaaa Aaaaaaaaaa Aaa Aaaa Aaaaa Aaaaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaa Aaaaa a Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaa Aa Aaa Aaaaa Aaa Aaaaaaaa Aaaa Aa Aaaaaaaa Aaa Aaa Aaaa Aaa Aaaaaaaaaaa Aaaaa Aa Aaa Aaa Aa Aaaaaaaaaaaaaaaaaa Aa Aaa Aaaaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaa Aaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaaaaa Aaa Aaaaaa Aaaaaaa Aaaaa Aaaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaa Aaa Aaaaaaaa Aaaaaaaaa Aaa Aaa Aaaaaa Aaaaaaaaaaaaaaa Aaaaa Aaa Aaaaa Aaaaaaaaa Aaaaa Aaaaa Aaaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaa Aaaa Aaaaaa Aaaaa Aaaaaaa Aaaaaaaaa a Aaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaa Aa Aaaaaaaaaaaaa a Aaaaaa Aa Aaaaaaa Aaa Aaaaaaaaa Aaaaaaaa Aaaaaaaaa

🔒

The fix rests on assumptions about origin correctness and guard coverage — edge cases in both areas are worth auditing.

Subscribe to read more