Summary: | View-source iframes are dangerous (and not very useful). | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Thomas Sepez <tsepez> | ||||||
Component: | WebCore Misc. | Assignee: | Thomas Sepez <tsepez> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | abarth, benjamin, cevans, cmarcelo, esprehn+autocc, esprehn, jschuh, ojan.autocc, timothy, tsepez, webkit.review.bot | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Thomas Sepez
2013-03-26 14:47:16 PDT
Created attachment 195795 [details]
Patch.
Created attachment 195797 [details]
Patch, fix blank line.
We might run into compat trouble, but I doubt it. Comment on attachment 195797 [details] Patch, fix blank line. Clearing flags on attachment: 195797 Committed r147280: <http://trac.webkit.org/changeset/147280> All reviewed patches have been landed. Closing bug. How do we know this didn't break real pages using viewsource? It seems like we should have restricted this to same origin iframes (and data urls). It's a pretty useful feature. We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)? (In reply to comment #7) > We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)? That logic has never been true. :) Lots of Webkit only features appear in pages, ex. custom scrollbars. This feature _was_ useful for showing the contents of a contenteditable area in a syntax highlighted way, or showing the source of a blog post. Ex. your blog can show the post HTML to you. I'd prefer if we could histogram this first, or restrict it to same origin iframes. I discussed with ojan and adamk and they both think no one uses this feature, so lets let it die! :) |