Summary: | Pages loaded with special:// can load file:// resources that should not be allowed | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Rush Manbert <rush> | ||||
Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED WORKSFORME | ||||||
Severity: | Major | CC: | ggaren | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | 523.x (Safari 3) | ||||||
Hardware: | Mac | ||||||
OS: | OS X 10.4 | ||||||
Attachments: |
|
Description
Rush Manbert
2007-07-26 17:48:51 PDT
Created attachment 15694 [details]
Demo project that shows the problem.
So I learned something new today. Here's what's happening. For the security change there is a linked-on-or-after check that will enforce the stronger security if you link against a newer WebKit (newer than when the check was added). The system webkit on tiger will not have this added security, and because of a versioning quirk neither does a locally built webkit. The only way you can see this behavior, currently, it to use leopard (e.g. a WWDC distribution). If you believe you are already linking against a Leopard System WebKit (use the command "otool -L <path to SpecialPictureProtocol.app/Contents/MacOS/SpecialPictureProtocol>" to see which WebKit it is linking against), then you may need to change your project settings in XCode to not use the Tiger SDK. In XCode use GetInfo on the SpecialPictureProtocol project In the General tab go to the Cross-Develop Using Target SDK: Change that drop down to Current Mac OX (if in Leopard). That should cause you to link against the latest WebKit and hit the linked-on-or-after check |