Bug 11885

Summary: Cross-frame scripting checks should not restrict access to data: URLs
Product: WebKit Reporter: Geoffrey Garen <ggaren>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: abarth, ap, dbates, gavin.sharp, jchaffraix, jruderman, jschuh, jwalden+bwo, sam, webkit
Priority: P2    
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
See Also: https://bugs.webkit.org/show_bug.cgi?id=250418
Attachments:
Description Flags
Wrong patch (has vulnerabilities) none

Geoffrey Garen
Reported 2006-12-19 16:09:03 PST
See http://bugs.webkit.org/attachment.cgi?id=11925 for an example of a script that fails because of it.
Attachments
Wrong patch (has vulnerabilities) (4.17 KB, patch)
2010-11-07 23:45 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Sam Weinig
Comment 1 2008-01-23 22:33:51 PST
I don't think it would be a good idea to completely remove the restriction, but rather we need to define a safe subset of cases when cross-frame scripting with data: URL is allowed. It would a good first step to document exactly what Firefox and Opera do.
Adam Barth
Comment 2 2008-01-23 22:39:46 PST
Some of the other folks CCed on this bug may know the Firefox and Opera behavior off-hand, but Collin and I would be happy to try to figure it out experimentally.
Maciej Stachowiak
Comment 3 2008-01-24 21:15:40 PST
I believe the current behavior of Firefox is an XSS security risk.
Jesse Ruderman
Comment 4 2008-01-24 21:27:35 PST
See https://bugzilla.mozilla.org/show_bug.cgi?id=255107 for some discussion of the security risk.
Adam Barth
Comment 5 2009-02-14 16:40:25 PST
HTML 5 specs Firefox's behavior: "If a Document or image was generated from a data: URL found in another Document or in a script The origin is the origin of the Document or script in which the data: URL was found."
Ojan Vafai
Comment 6 2010-03-29 11:11:04 PDT
Some of the public-web-security discussion: http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0112.html http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0121.html I firmly believe we should try to make the Gecko policy work, mainly for the reasons Maciej stated in the second of those links. It makes iframes much easier to work with.
Adam Barth
Comment 7 2010-11-07 23:45:33 PST
Created attachment 73217 [details] Wrong patch (has vulnerabilities)
Adam Barth
Comment 8 2010-11-07 23:46:35 PST
I think we should do this, but the implementation is not trivial. The approach in the above patch doesn't work, sadly.
Note You need to log in before you can comment on or make changes to this bug.