Bug 113345

Summary:

View-source iframes are dangerous (and not very useful).

Product:

WebKit

Reporter:

Thomas Sepez <tsepez>

Component:

WebCore Misc.

Assignee:

Thomas Sepez <tsepez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, benjamin, cevans, cmarcelo, esprehn+autocc, esprehn, jschuh, ojan.autocc, timothy, tsepez, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch.	none
Patch, fix blank line.	none

Description Thomas Sepez 2013-03-26 14:47:16 PDT

Upstreamed from https://code.google.com/p/chromium/issues/detail?id=196636.

Memorable comments from that bug:
Collin: "View-source iframes seem dangerous in general; create a "captcha" that steals CSRF tokens, for example."
Justin: "We specifically disallow navigation to view-source URLs because we consider them unsafe. So allowing them via an iframe attribute is just a short trip to crazytown, population Chrome."
Adam: "It's non-standard and not supported by other browsers, AFAIK."

Platforms should have the option of excluding them, if they so desire.

Comment 1 Thomas Sepez 2013-03-29 14:05:10 PDT

Created attachment 195795 [details]
Patch.

Comment 2 Thomas Sepez 2013-03-29 14:07:55 PDT

Created attachment 195797 [details]
Patch, fix blank line.

Comment 3 Adam Barth 2013-03-30 10:51:58 PDT

We might run into compat trouble, but I doubt it.

Comment 4 WebKit Review Bot 2013-03-30 11:21:13 PDT

Comment on attachment 195797 [details]
Patch, fix blank line.

Clearing flags on attachment: 195797

Committed r147280: <http://trac.webkit.org/changeset/147280>

Comment 5 WebKit Review Bot 2013-03-30 11:21:16 PDT

All reviewed patches have been landed.  Closing bug.

Comment 6 Elliott Sprehn 2013-04-18 15:06:54 PDT

How do we know this didn't break real pages using viewsource? It seems like we should have restricted this to same origin iframes (and data urls). It's a pretty useful feature.

Comment 7 Chris Evans 2013-04-18 15:11:19 PDT

We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?

Comment 8 Elliott Sprehn 2013-04-18 15:18:09 PDT

(In reply to comment #7)
> We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?

That logic has never been true. :) Lots of Webkit only features appear in pages, ex. custom scrollbars. 

This feature _was_ useful for showing the contents of a contenteditable area in a syntax highlighted way, or showing the source of a blog post. Ex. your blog can show the post HTML to you.

I'd prefer if we could histogram this first, or restrict it to same origin iframes.

Comment 9 Elliott Sprehn 2013-04-18 16:04:32 PDT

I discussed with ojan and adamk and they both think no one uses this feature, so lets let it die! :)