|Summary:||View-source iframes are dangerous (and not very useful).|
|Product:||WebKit||Reporter:||Thomas Sepez <tsepez>|
|Component:||WebCore Misc.||Assignee:||Thomas Sepez <tsepez>|
|Severity:||Normal||CC:||abarth, benjamin, cevans, cmarcelo, esprehn+autocc, esprehn, jschuh, ojan.autocc, timothy, tsepez, webkit.review.bot|
|Version:||528+ (Nightly build)|
Description Thomas Sepez 2013-03-26 14:47:16 PDT
Upstreamed from https://code.google.com/p/chromium/issues/detail?id=196636. Memorable comments from that bug: Collin: "View-source iframes seem dangerous in general; create a "captcha" that steals CSRF tokens, for example." Justin: "We specifically disallow navigation to view-source URLs because we consider them unsafe. So allowing them via an iframe attribute is just a short trip to crazytown, population Chrome." Adam: "It's non-standard and not supported by other browsers, AFAIK." Platforms should have the option of excluding them, if they so desire.
Comment 2 Thomas Sepez 2013-03-29 14:07:55 PDT
Created attachment 195797 [details] Patch, fix blank line.
Comment 3 Adam Barth 2013-03-30 10:51:58 PDT
We might run into compat trouble, but I doubt it.
Comment 4 WebKit Review Bot 2013-03-30 11:21:13 PDT
Comment on attachment 195797 [details] Patch, fix blank line. Clearing flags on attachment: 195797 Committed r147280: <http://trac.webkit.org/changeset/147280>
Comment 5 WebKit Review Bot 2013-03-30 11:21:16 PDT
All reviewed patches have been landed. Closing bug.
Comment 6 Elliott Sprehn 2013-04-18 15:06:54 PDT
How do we know this didn't break real pages using viewsource? It seems like we should have restricted this to same origin iframes (and data urls). It's a pretty useful feature.
Comment 7 Chris Evans 2013-04-18 15:11:19 PDT
We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?
Comment 8 Elliott Sprehn 2013-04-18 15:18:09 PDT
(In reply to comment #7) > We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)? That logic has never been true. :) Lots of Webkit only features appear in pages, ex. custom scrollbars. This feature _was_ useful for showing the contents of a contenteditable area in a syntax highlighted way, or showing the source of a blog post. Ex. your blog can show the post HTML to you. I'd prefer if we could histogram this first, or restrict it to same origin iframes.
Comment 9 Elliott Sprehn 2013-04-18 16:04:32 PDT
I discussed with ojan and adamk and they both think no one uses this feature, so lets let it die! :)