Summary: | Prevent scheme handlers from handling all built-in URL schemes | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Brady Eidson <beidson> | ||||||||
Component: | WebKit2 | Assignee: | Brady Eidson <beidson> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | aestes, commit-queue | ||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Brady Eidson
2017-06-02 12:57:46 PDT
Created attachment 311860 [details]
Patch
Comment on attachment 311860 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=311860&action=review > Source/WebCore/platform/SchemeRegistry.cpp:63 > + // Other misc schemes that the SchemeRegistry doesn't know about. > + schemes.get().add("webkit-fake-url"); > +#if PLATFORM(MAC) > + schemes.get().add("safari-extension"); > +#endif There's also x-apple-ql-id (QLPreviewProtocol()) and x-apple-content-filter (ContentFilter::urlScheme()). What happens if someone tries to register schemes used by system apps (tel:, mailto:, etc.)? Those were probably hijackable by NSURLProtocol, so maybe they should be hijackable here too. Just wondering if you'd thought about it. (In reply to Andy Estes from comment #3) > What happens if someone tries to register schemes used by system apps (tel:, > mailto:, etc.)? Those were probably hijackable by NSURLProtocol, so maybe > they should be hijackable here too. Just wondering if you'd thought about it. We have thought about it, and they definitely get to be hijackable. They are not URLs WebKit handles internally. Created attachment 311870 [details]
Patch
Comment on attachment 311870 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=311870&action=review > Source/WebCore/platform/SchemeRegistry.cpp:73 > +#if PLATFORM(IOS) > + schemes.get().add(QLPreviewProtocol()); > +#endif This might break tvOS and watchOS builds. I'd use USE(QUICK_LOOK) instead. Created attachment 311874 [details]
Patch
Comment on attachment 311874 [details] Patch Clearing flags on attachment: 311874 Committed r217738: <http://trac.webkit.org/changeset/217738> All reviewed patches have been landed. Closing bug. |