Bug 113345

Summary: View-source iframes are dangerous (and not very useful).
Product: WebKit Reporter: Thomas Sepez <tsepez>
Component: WebCore Misc.Assignee: Thomas Sepez <tsepez>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, benjamin, cevans, cmarcelo, esprehn+autocc, esprehn, jschuh, ojan.autocc, timothy, tsepez, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch.
none
Patch, fix blank line. none

Thomas Sepez
Reported 2013-03-26 14:47:16 PDT
Upstreamed from https://code.google.com/p/chromium/issues/detail?id=196636. Memorable comments from that bug: Collin: "View-source iframes seem dangerous in general; create a "captcha" that steals CSRF tokens, for example." Justin: "We specifically disallow navigation to view-source URLs because we consider them unsafe. So allowing them via an iframe attribute is just a short trip to crazytown, population Chrome." Adam: "It's non-standard and not supported by other browsers, AFAIK." Platforms should have the option of excluding them, if they so desire.
Attachments
Patch. (6.02 KB, patch)
2013-03-29 14:05 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
Patch, fix blank line. (5.54 KB, patch)
2013-03-29 14:07 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2013-03-29 14:05:10 PDT
Created attachment 195795 [details] Patch.
Thomas Sepez
Comment 2 2013-03-29 14:07:55 PDT
Created attachment 195797 [details] Patch, fix blank line.
Adam Barth
Comment 3 2013-03-30 10:51:58 PDT
We might run into compat trouble, but I doubt it.
WebKit Review Bot
Comment 4 2013-03-30 11:21:13 PDT
Comment on attachment 195797 [details] Patch, fix blank line. Clearing flags on attachment: 195797 Committed r147280: <http://trac.webkit.org/changeset/147280>
WebKit Review Bot
Comment 5 2013-03-30 11:21:16 PDT
All reviewed patches have been landed. Closing bug.
Elliott Sprehn
Comment 6 2013-04-18 15:06:54 PDT
How do we know this didn't break real pages using viewsource? It seems like we should have restricted this to same origin iframes (and data urls). It's a pretty useful feature.
Chris Evans
Comment 7 2013-04-18 15:11:19 PDT
We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?
Elliott Sprehn
Comment 8 2013-04-18 15:18:09 PDT
(In reply to comment #7) > We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)? That logic has never been true. :) Lots of Webkit only features appear in pages, ex. custom scrollbars. This feature _was_ useful for showing the contents of a contenteditable area in a syntax highlighted way, or showing the source of a blog post. Ex. your blog can show the post HTML to you. I'd prefer if we could histogram this first, or restrict it to same origin iframes.
Elliott Sprehn
Comment 9 2013-04-18 16:04:32 PDT
I discussed with ojan and adamk and they both think no one uses this feature, so lets let it die! :)
Note You need to log in before you can comment on or make changes to this bug.