Safari same origin hole


Whilst investigating same origin javascript policy with Ronald from, I found another vulerability in Safari 3.02 beta on windows, it could also work on OS X but I haven’t tested it. Normally I would have reported this to Apple before releasing the details however the last time I found a problem with Safari Apple only seemed to respond and fix the problem when it went public. They even told me they don’t normally accept vulnerability reports unless you are registered as an Apple developer!


Same origin policy works by checking the domain names of communicating windows or iframes and document.domain a javascript property of the document object allows or denies this. The problem is that IE6, IE7 and Safari allow you to overwrite the document object with your own, at the moment it appears only Safari beta is vulnerable to this attack but I am pretty sure in the future another attack will be available for IE6 and IE7.

Proof of concept

The POC connects to Amazon through an iframe then overwrites the document object and stores a reference to the getElementById dom function. The document object is then manipulated with the Amazon domain but would work with any domain. Then the script displays your name from the Amazon page (if available) and then shows your cookies gathered from that domain.

Currently only tested on Safari beta 3.02 on windows through file:// not http://

Safari POC


I strongly recommend that you use Firefox instead of IE6, IE7 or Safari as that is the only browser which denies access to overwriting the document object.


One Response to “Safari same origin hole”

  1. Gareth Heyes writes:

    Confirmed working on OS X through file:// and Windows