WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
14765
Allow loading file://localhost/ resources from pages loaded with special://localhost/ URL
https://bugs.webkit.org/show_bug.cgi?id=14765
Summary
Allow loading file://localhost/ resources from pages loaded with special://lo...
Rush Manbert
Reported
2007-07-25 14:28:25 PDT
This is a regression from Safari 2. If a page is loaded by a custom protocol handler, it is not allowed to load *SOME* local resources. This includes navigation to local file:// resources. Strangely enough, local file:// image resources can be loaded, as can CSS style sheets. The problem here appears to be that the document created for the page loaded by the custom protocol handler has m_isAllowedToLoadLocalResources set to false. I realize that the custom protocol could do anything, but it's part of the application, so shouldn't it be trusted? Perhaps when you do the FrameLoader::canLoad() check you could look at the document protocol string and see if there is a protocol handler registered for it and return true if so? I have reported something similar in
Bug #14738
, but I later realized that it is a much more serious problem than "flash files won't load". The demonstration project attached to
bug #14738
demonstrates this problem too. If you load the HTML using the custom protocol, then the Back link does not work and you see an error message when you click on it.
Attachments
Add attachment
proposed patch, testcase, etc.
Geoffrey Garen
Comment 1
2007-07-25 22:31:12 PDT
In general, what you're reporting is intended behavior for security purposes. To compliment its new, strict security, WebKit for Safari 3 has new API for registering a custom URL protocol such that it is treated like file:///: @interface WebView + (void)registerURLSchemeAsLocal:(NSString *)scheme; @end
> Strangely enough, local file:// image resources can be loaded, as can CSS style sheets.
This is a security bug. If you have an example of this, please file it.
Rush Manbert
Comment 2
2007-07-26 17:55:22 PDT
(In reply to
comment #1
)
> In general, what you're reporting is intended behavior for security purposes. > > To compliment its new, strict security, WebKit for Safari 3 has new API for > registering a custom URL protocol such that it is treated like file:///: > > @interface WebView > + (void)registerURLSchemeAsLocal:(NSString *)scheme; > @end
> Ah, that makes things work much better. Now I can load local resources to my heart's content. Looks like this one can be resolved, at least as far as I am concerned.
> > Strangely enough, local file:// image resources can be loaded, as can CSS style sheets. > > This is a security bug. If you have an example of this, please file it. >
Please see #14772 (
http://bugs.webkit.org/show_bug.cgi?id=14772
)
Kevin McCullough
Comment 3
2007-07-30 10:51:47 PDT
Correct Behavior
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug