47730 2010-10-15 11:09:45 -0700 Web Inspector: grant access to local storage to web inspector 2010-12-07 08:58:11 -0800 1 1 1 Unclassified WebKit Web Inspector (Deprecated) 528+ (Nightly build) All All RESOLVED WONTFIX P2 Normal --- 0 podivilov webkit-unassigned abarth apavlov bweinstein eric joepeck keishi loislo pfeldman pmuellr rik timothy webkit-ews yurys oldest_to_newest 294824 0 podivilov 2010-10-15 11:09:45 -0700 In chrome, Web Inspector uses "chrome:" schema which has very limited permissions. However, we want to use localStorage to store front-end settings. 294827 1 70884 podivilov 2010-10-15 11:12:37 -0700 Created attachment 70884 Patch. 294832 2 70884 abarth 2010-10-15 11:18:21 -0700 Comment on attachment 70884 Patch. These "grant" API are like grenades without a pin. We shouldn't have them at all. A better design might be to run the inspector in the "chrome-extension" scheme. That way it can have its own public key to define who should have access to its local storage. 294836 3 webkit-ews 2010-10-15 11:27:18 -0700 Attachment 70884 did not build on qt: Build output: http://queues.webkit.org/results/4419052 294842 4 eric 2010-10-15 11:40:40 -0700 Attachment 70884 did not build on mac: Build output: http://queues.webkit.org/results/4470040 295400 5 70884 pfeldman 2010-10-18 01:57:37 -0700 Comment on attachment 70884 Patch. View in context: https://bugs.webkit.org/attachment.cgi?id=70884&action=review > WebCore/page/SecurityOrigin.h:124 > bool canAccessDatabase() const { return !isUnique(); } At some point we might want to use database and filesystem from within inspector. So the right solution is to make inspector non-Unique on all the platforms. 295405 6 abarth 2010-10-18 02:34:00 -0700 (In reply to comment #5) > (From update of attachment 70884 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=70884&action=review > > > WebCore/page/SecurityOrigin.h:124 > > bool canAccessDatabase() const { return !isUnique(); } > > At some point we might want to use database and filesystem from within inspector. So the right solution is to make inspector non-Unique on all the platforms. Indeed. However, we shouldn't do that by granting it magical privileges. Instead, we should use a URL scheme that doesn't impose uniqueness. 295406 7 pfeldman 2010-10-18 02:36:07 -0700 > Indeed. However, we shouldn't do that by granting it magical privileges. Instead, we should use a URL scheme that doesn't impose uniqueness. +1. That's exactly what I meant in the "non-Unique" part of the comment. 70884 2010-10-15 11:12:37 -0700 2010-10-18 01:57:37 -0700 Patch. patch text/plain 3803 podivilov ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg NGZkOTUzMi4uODVkMGEyZiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNiBAQAorMjAxMC0xMC0xNSAgUGF2ZWwgUG9kaXZp bG92ICA8cG9kaXZpbG92QGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBXZWIgSW5zcGVjdG9yOiBncmFudCBhY2Nlc3MgdG8gbG9j YWwgc3RvcmFnZSB0byB3ZWIgaW5zcGVjdG9yCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD00NzczMAorCisgICAgICAgICogcGFnZS9TZWN1cml0eU9yaWdp bi5jcHA6CisgICAgICAgIChXZWJDb3JlOjpTZWN1cml0eU9yaWdpbjo6U2VjdXJpdHlPcmlnaW4p OgorICAgICAgICAoV2ViQ29yZTo6U2VjdXJpdHlPcmlnaW46OmdyYW50TG9jYWxTdG9yYWdlQWNj ZXNzKToKKyAgICAgICAgKiBwYWdlL1NlY3VyaXR5T3JpZ2luLmg6CisgICAgICAgIChXZWJDb3Jl OjpTZWN1cml0eU9yaWdpbjo6Y2FuQWNjZXNzTG9jYWxTdG9yYWdlKToKKwogMjAxMC0xMC0xNSAg U2VyZ2lvIFZpbGxhciBTZW5pbiAgPHN2aWxsYXJAaWdhbGlhLmNvbT4KIAogICAgICAgICBSZXZp ZXdlZCBieSBYYW4gTG9wZXouCmRpZmYgLS1naXQgYS9XZWJDb3JlL3BhZ2UvU2VjdXJpdHlPcmln aW4uY3BwIGIvV2ViQ29yZS9wYWdlL1NlY3VyaXR5T3JpZ2luLmNwcAppbmRleCBmMGU5OTlmLi45 MTZmMmZlIDEwMDY0NAotLS0gYS9XZWJDb3JlL3BhZ2UvU2VjdXJpdHlPcmlnaW4uY3BwCisrKyBi L1dlYkNvcmUvcGFnZS9TZWN1cml0eU9yaWdpbi5jcHAKQEAgLTcxLDYgKzcxLDcgQEAgU2VjdXJp dHlPcmlnaW46OlNlY3VyaXR5T3JpZ2luKGNvbnN0IEtVUkwmIHVybCwgU2FuZGJveEZsYWdzIHNh bmRib3hGbGFncykKICAgICAsIG1fcG9ydCh1cmwucG9ydCgpKQogICAgICwgbV9pc1VuaXF1ZShp c1NhbmRib3hlZChTYW5kYm94T3JpZ2luKSB8fCBTY2hlbWVSZWdpc3RyeTo6c2hvdWxkVHJlYXRV UkxTY2hlbWVBc05vQWNjZXNzKG1fcHJvdG9jb2wpKQogICAgICwgbV91bml2ZXJzYWxBY2Nlc3Mo ZmFsc2UpCisgICAgLCBtX2xvY2FsU3RvcmFnZUFjY2VzcyhmYWxzZSkKICAgICAsIG1fZG9tYWlu V2FzU2V0SW5ET00oZmFsc2UpCiAgICAgLCBtX2VuZm9yY2VGaWxlUGF0aFNlcGFyYXRpb24oZmFs c2UpCiB7CkBAIC0zMjYsNiArMzI3LDExIEBAIHZvaWQgU2VjdXJpdHlPcmlnaW46OmdyYW50TG9h ZExvY2FsUmVzb3VyY2VzKCkKICAgICBtX2NhbkxvYWRMb2NhbFJlc291cmNlcyA9IHRydWU7CiB9 CiAKK3ZvaWQgU2VjdXJpdHlPcmlnaW46OmdyYW50TG9jYWxTdG9yYWdlQWNjZXNzKCkKK3sKKyAg ICBtX2xvY2FsU3RvcmFnZUFjY2VzcyA9IHRydWU7Cit9CisKIHZvaWQgU2VjdXJpdHlPcmlnaW46 OmdyYW50VW5pdmVyc2FsQWNjZXNzKCkKIHsKICAgICBtX3VuaXZlcnNhbEFjY2VzcyA9IHRydWU7 CmRpZmYgLS1naXQgYS9XZWJDb3JlL3BhZ2UvU2VjdXJpdHlPcmlnaW4uaCBiL1dlYkNvcmUvcGFn ZS9TZWN1cml0eU9yaWdpbi5oCmluZGV4IDJhNjM5NjYuLjUzMGMxNmYgMTAwNjQ0Ci0tLSBhL1dl YkNvcmUvcGFnZS9TZWN1cml0eU9yaWdpbi5oCisrKyBiL1dlYkNvcmUvcGFnZS9TZWN1cml0eU9y aWdpbi5oCkBAIC0xMTUsMTAgKzExNSwxNCBAQCBwdWJsaWM6CiAgICAgLy8gV0FSTklORzogVGhp cyBpcyBhbiBleHRyZW1lbHkgcG93ZXJmdWwgYWJpbGl0eS4gVXNlIHdpdGggY2F1dGlvbiEKICAg ICB2b2lkIGdyYW50VW5pdmVyc2FsQWNjZXNzKCk7CiAKKyAgICAvLyBFeHBsaWNpdGx5IGdyYW50 IHRoZSBhYmlsaXR5IHRvIGFjY2VzcyBsb2NhbCBzdG9yYWdlIHRvIHRoaXMKKyAgICAvLyBTZWN1 cml0eU9yaWdpbi4KKyAgICB2b2lkIGdyYW50TG9jYWxTdG9yYWdlQWNjZXNzKCk7CisKICAgICBi b29sIGlzU2FuZGJveGVkKFNhbmRib3hGbGFncyBtYXNrKSBjb25zdCB7IHJldHVybiBtX3NhbmRi b3hGbGFncyAmIG1hc2s7IH0KIAogICAgIGJvb2wgY2FuQWNjZXNzRGF0YWJhc2UoKSBjb25zdCB7 IHJldHVybiAhaXNVbmlxdWUoKTsgfQotICAgIGJvb2wgY2FuQWNjZXNzTG9jYWxTdG9yYWdlKCkg Y29uc3QgeyByZXR1cm4gIWlzVW5pcXVlKCk7IH0KKyAgICBib29sIGNhbkFjY2Vzc0xvY2FsU3Rv cmFnZSgpIGNvbnN0IHsgcmV0dXJuICFpc1VuaXF1ZSgpIHx8IG1fbG9jYWxTdG9yYWdlQWNjZXNz OyB9CiAgICAgYm9vbCBjYW5BY2Nlc3NDb29raWVzKCkgY29uc3QgeyByZXR1cm4gIWlzVW5pcXVl KCk7IH0KICAgICBib29sIGNhbkFjY2Vzc1Bhc3N3b3JkTWFuYWdlcigpIGNvbnN0IHsgcmV0dXJu ICFpc1VuaXF1ZSgpOyB9CiAgICAgYm9vbCBjYW5BY2Nlc3NGaWxlU3lzdGVtKCkgY29uc3QgeyBy ZXR1cm4gIWlzVW5pcXVlKCk7IH0KQEAgLTIxMCw2ICsyMTQsNyBAQCBwcml2YXRlOgogICAgIGJv b2wgbV91bml2ZXJzYWxBY2Nlc3M7CiAgICAgYm9vbCBtX2RvbWFpbldhc1NldEluRE9NOwogICAg IGJvb2wgbV9jYW5Mb2FkTG9jYWxSZXNvdXJjZXM7CisgICAgYm9vbCBtX2xvY2FsU3RvcmFnZUFj Y2VzczsKICAgICBib29sIG1fZW5mb3JjZUZpbGVQYXRoU2VwYXJhdGlvbjsKIH07CiAKZGlmZiAt LWdpdCBhL1dlYktpdC9jaHJvbWl1bS9DaGFuZ2VMb2cgYi9XZWJLaXQvY2hyb21pdW0vQ2hhbmdl TG9nCmluZGV4IDU4NzAyNWQuLjY4MjMyYzMgMTAwNjQ0Ci0tLSBhL1dlYktpdC9jaHJvbWl1bS9D aGFuZ2VMb2cKKysrIGIvV2ViS2l0L2Nocm9taXVtL0NoYW5nZUxvZwpAQCAtMSwzICsxLDEzIEBA CisyMDEwLTEwLTE1ICBQYXZlbCBQb2Rpdmlsb3YgIDxwb2Rpdmlsb3ZAY2hyb21pdW0ub3JnPgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFdlYiBJbnNw ZWN0b3I6IGdyYW50IGFjY2VzcyB0byBsb2NhbCBzdG9yYWdlIHRvIHdlYiBpbnNwZWN0b3IKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTQ3NzMwCisKKyAg ICAgICAgKiBzcmMvV2ViRGV2VG9vbHNGcm9udGVuZEltcGwuY3BwOgorICAgICAgICAoV2ViS2l0 OjpXZWJEZXZUb29sc0Zyb250ZW5kSW1wbDo6ZnJvbnRlbmRMb2FkZWQpOgorCiAyMDEwLTEwLTE0 ICBXZWkgSmlhICA8d2ppYUBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGFy aW4gRmlzaGVyLgpkaWZmIC0tZ2l0IGEvV2ViS2l0L2Nocm9taXVtL3NyYy9XZWJEZXZUb29sc0Zy b250ZW5kSW1wbC5jcHAgYi9XZWJLaXQvY2hyb21pdW0vc3JjL1dlYkRldlRvb2xzRnJvbnRlbmRJ bXBsLmNwcAppbmRleCA5MDViYzZkLi5iMmFmMmViIDEwMDY0NAotLS0gYS9XZWJLaXQvY2hyb21p dW0vc3JjL1dlYkRldlRvb2xzRnJvbnRlbmRJbXBsLmNwcAorKysgYi9XZWJLaXQvY2hyb21pdW0v c3JjL1dlYkRldlRvb2xzRnJvbnRlbmRJbXBsLmNwcApAQCAtMTI0LDYgKzEyNCw3IEBAIHZvaWQg V2ViRGV2VG9vbHNGcm9udGVuZEltcGw6OmRpc3BhdGNoT25JbnNwZWN0b3JGcm9udGVuZChjb25z dCBXZWJTdHJpbmcmIG1lc3NhCiAKIHZvaWQgV2ViRGV2VG9vbHNGcm9udGVuZEltcGw6OmZyb250 ZW5kTG9hZGVkKCkKIHsKKyAgICBtX3dlYlZpZXdJbXBsLT5wYWdlKCktPm1haW5GcmFtZSgpLT5k b2N1bWVudCgpLT5zZWN1cml0eU9yaWdpbigpLT5ncmFudExvY2FsU3RvcmFnZUFjY2VzcygpOwog ICAgIG1fY2xpZW50LT5zZW5kRnJvbnRlbmRMb2FkZWQoKTsKIH0KIAo=