Summary: | Block SVG external references pending a security review | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Adam Barth <abarth> | ||||||||
Component: | SVG | Assignee: | Adam Barth <abarth> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | eric, inferno, japhet, krit, ossy, senorblanco, thorton, webkit.review.bot, zimmermann | ||||||||
Priority: | P2 | Keywords: | InRadar, WebExposed | ||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Adam Barth
2012-10-29 00:09:11 PDT
Created attachment 171165 [details]
Patch
I expect that this will cause some tests to fail. I haven't tested locally. Comment on attachment 171165 [details]
Patch
r=me
Comment on attachment 171165 [details]
Patch
I would have phrased this the other way, and made the define = 0 in Platform.h. Or just turned it off for everyone if we're really concerned.
Sorry, I would have re-phrased the ENABLE in the positive as well. ENABLE_SVG_EXTERNAL_RESOURCES. The naming doesn't really matter that much. It also depends on how long we plan to keep it off. :) Comment on attachment 171165 [details]
Patch
Ok. I'll flip around the enable.
Apparently the spec is going through a security review now. krit is going to look in the WebAppSec working group. I suspect the net result is that we're going to want to use CORS for these loads.
s/look/loop/ Created attachment 171295 [details]
Patch
Comment on attachment 171295 [details]
Patch
Is there a timeline for this review?
> Is there a timeline for this review? I don't think krit has emailed security@chromium.org yet, but it will likely go in the review queue when he does. Created attachment 171302 [details]
Patch for landing
Comment on attachment 171302 [details] Patch for landing Clearing flags on attachment: 171302 Committed r132849: <http://trac.webkit.org/changeset/132849> All reviewed patches have been landed. Closing bug. (In reply to comment #13) > (From update of attachment 171302 [details]) > Clearing flags on attachment: 171302 > > Committed r132849: <http://trac.webkit.org/changeset/132849> ... and a fix landed in http://trac.webkit.org/changeset/132869 without any reference to the original bug and/or revision. For future reference, these appear to have been re-enabled in http://trac.webkit.org/changeset/133538. |