Bug 113345

Summary: View-source iframes are dangerous (and not very useful).
Product: WebKit Reporter: Thomas Sepez <tsepez>
Component: WebCore Misc.Assignee: Thomas Sepez <tsepez>
Severity: Normal CC: abarth, benjamin, cevans, cmarcelo, esprehn+autocc, esprehn, jschuh, ojan.autocc, timothy, tsepez, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
Patch, fix blank line. none

Description Thomas Sepez 2013-03-26 14:47:16 PDT
Upstreamed from https://code.google.com/p/chromium/issues/detail?id=196636.

Memorable comments from that bug:
Collin: "View-source iframes seem dangerous in general; create a "captcha" that steals CSRF tokens, for example."
Justin: "We specifically disallow navigation to view-source URLs because we consider them unsafe. So allowing them via an iframe attribute is just a short trip to crazytown, population Chrome."
Adam: "It's non-standard and not supported by other browsers, AFAIK."

Platforms should have the option of excluding them, if they so desire.
Comment 1 Thomas Sepez 2013-03-29 14:05:10 PDT
Created attachment 195795 [details]
Comment 2 Thomas Sepez 2013-03-29 14:07:55 PDT
Created attachment 195797 [details]
Patch, fix blank line.
Comment 3 Adam Barth 2013-03-30 10:51:58 PDT
We might run into compat trouble, but I doubt it.
Comment 4 WebKit Review Bot 2013-03-30 11:21:13 PDT
Comment on attachment 195797 [details]
Patch, fix blank line.

Clearing flags on attachment: 195797

Committed r147280: <http://trac.webkit.org/changeset/147280>
Comment 5 WebKit Review Bot 2013-03-30 11:21:16 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Elliott Sprehn 2013-04-18 15:06:54 PDT
How do we know this didn't break real pages using viewsource? It seems like we should have restricted this to same origin iframes (and data urls). It's a pretty useful feature.
Comment 7 Chris Evans 2013-04-18 15:11:19 PDT
We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?
Comment 8 Elliott Sprehn 2013-04-18 15:18:09 PDT
(In reply to comment #7)
> We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?

That logic has never been true. :) Lots of Webkit only features appear in pages, ex. custom scrollbars. 

This feature _was_ useful for showing the contents of a contenteditable area in a syntax highlighted way, or showing the source of a blog post. Ex. your blog can show the post HTML to you.

I'd prefer if we could histogram this first, or restrict it to same origin iframes.
Comment 9 Elliott Sprehn 2013-04-18 16:04:32 PDT
I discussed with ojan and adamk and they both think no one uses this feature, so lets let it die! :)