| Summary: | Cross-frame scripting checks should not restrict access to data: URLs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Geoffrey Garen <ggaren> | ||||
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | NEW --- | ||||||
| Severity: | Normal | CC: | abarth, ap, dbates, gavin.sharp, jchaffraix, jruderman, jschuh, jwalden+bwo, sam, webkit | ||||
| Priority: | P2 | ||||||
| Version: | 420+ | ||||||
| Hardware: | Mac | ||||||
| OS: | OS X 10.4 | ||||||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=250418 | ||||||
| Attachments: |
|
||||||
|
Description
Geoffrey Garen
2006-12-19 16:09:03 PST
I don't think it would be a good idea to completely remove the restriction, but rather we need to define a safe subset of cases when cross-frame scripting with data: URL is allowed. It would a good first step to document exactly what Firefox and Opera do. Some of the other folks CCed on this bug may know the Firefox and Opera behavior off-hand, but Collin and I would be happy to try to figure it out experimentally. I believe the current behavior of Firefox is an XSS security risk. See https://bugzilla.mozilla.org/show_bug.cgi?id=255107 for some discussion of the security risk. HTML 5 specs Firefox's behavior: "If a Document or image was generated from a data: URL found in another Document or in a script The origin is the origin of the Document or script in which the data: URL was found." Some of the public-web-security discussion: http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0112.html http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0121.html I firmly believe we should try to make the Gecko policy work, mainly for the reasons Maciej stated in the second of those links. It makes iframes much easier to work with. Created attachment 73217 [details]
Wrong patch (has vulnerabilities)
I think we should do this, but the implementation is not trivial. The approach in the above patch doesn't work, sadly. |