|Summary:||Cross-frame scripting checks should not restrict access to data: URLs|
|Product:||WebKit||Reporter:||Geoffrey Garen <ggaren>|
|Severity:||Normal||CC:||abarth, ap, dbates, gavin.sharp, jchaffraix, jruderman, jschuh, jwalden+bwo, sam, webkit|
|OS:||OS X 10.4|
Description Geoffrey Garen 2006-12-19 16:09:03 PST
See http://bugs.webkit.org/attachment.cgi?id=11925 for an example of a script that fails because of it.
Comment 1 Sam Weinig 2008-01-23 22:33:51 PST
I don't think it would be a good idea to completely remove the restriction, but rather we need to define a safe subset of cases when cross-frame scripting with data: URL is allowed. It would a good first step to document exactly what Firefox and Opera do.
Comment 2 Adam Barth 2008-01-23 22:39:46 PST
Some of the other folks CCed on this bug may know the Firefox and Opera behavior off-hand, but Collin and I would be happy to try to figure it out experimentally.
Comment 3 Maciej Stachowiak 2008-01-24 21:15:40 PST
I believe the current behavior of Firefox is an XSS security risk.
Comment 4 Jesse Ruderman 2008-01-24 21:27:35 PST
See https://bugzilla.mozilla.org/show_bug.cgi?id=255107 for some discussion of the security risk.
Comment 5 Adam Barth 2009-02-14 16:40:25 PST
HTML 5 specs Firefox's behavior: "If a Document or image was generated from a data: URL found in another Document or in a script The origin is the origin of the Document or script in which the data: URL was found."
Comment 6 Ojan Vafai 2010-03-29 11:11:04 PDT
Some of the public-web-security discussion: http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0112.html http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0121.html I firmly believe we should try to make the Gecko policy work, mainly for the reasons Maciej stated in the second of those links. It makes iframes much easier to work with.
Comment 7 Adam Barth 2010-11-07 23:45:33 PST
Created attachment 73217 [details] Wrong patch (has vulnerabilities)
Comment 8 Adam Barth 2010-11-07 23:46:35 PST
I think we should do this, but the implementation is not trivial. The approach in the above patch doesn't work, sadly.