Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 444474

Summary: Cross-frame-scripting security check in browser widget delivers false positives
Product: [RT] RAP Reporter: Tillmann Seidel <tseidel>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3    
Version: 2.3   
Target Milestone: 3.0 M2   
Hardware: PC   
OS: Windows 8   
Whiteboard: sr232

Description Tillmann Seidel CLA 2014-09-18 08:59:18 EDT 
The RWT browser widget checks in its execute method that the URL comes from the same domain and uses the same port. 

However the check does not take into account that, depending on the protocol, the port is sometimes implicit (port 80 for http, port 443 for https).

This leads to the effect that 
https://www.eclipsesource.com/blogs
and
https://www.eclipsesource.com:443/blogs
are considered different domains and therefore the SecurityRestriction applies.

Code hint: rwt.widgets.Browser.getDomain(url)
Comment 1 Ivan Furnadjiev CLA 2014-09-22 05:27:46 EDT 
Pending change: https://git.eclipse.org/r/#/c/33658/
Comment 2 Ivan Furnadjiev CLA 2014-09-22 06:19:50 EDT 
Fixed in master with change https://git.eclipse.org/r/#/c/33658/.
Comment 3 Ivan Furnadjiev CLA 2015-01-28 05:22:58 EST 
Backported to 2.3-maintenance branch with change https://git.eclipse.org/r/40524