Bug 214669

Summary: Web Inspector: developerExtrasEnabled should be respected when opening local Web Inspector (part 2)
Product: WebKit Reporter: Blaze Burg <bburg>
Component: Web InspectorAssignee: Blaze Burg <bburg>
Status: RESOLVED FIXED    
Severity: Normal CC: bburg, hi, inspector-bugzilla-changes, joepeck, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=214573
Attachments:
Description Flags
Patch
none
Patch none

Blaze Burg
Reported 2020-07-22 18:07:04 PDT
.
Attachments
Patch (1.49 KB, patch)
2020-07-22 18:14 PDT, Blaze Burg 		no flags
DetailsFormatted DiffDiff
Patch (1.90 KB, patch)
2020-07-23 15:15 PDT, Blaze Burg 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Blaze Burg
Comment 1 2020-07-22 18:14:24 PDT
Created attachment 405004 [details] Patch
Blaze Burg
Comment 2 2020-07-22 18:15:13 PDT
<rdar://65885126>
Joseph Pecoraro
Comment 3 2020-07-22 18:43:14 PDT
Comment on attachment 405004 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review > Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 > + if (!m_inspectedPage->preferences().developerExtrasEnabled()) > + return; How would it be possible to get here?
Blaze Burg
Comment 4 2020-07-23 13:43:11 PDT
Comment on attachment 405004 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >> + return; > > How would it be possible to get here? A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen.
Joseph Pecoraro
Comment 5 2020-07-23 13:45:51 PDT
Comment on attachment 405004 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >>> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >>> + return; >> >> How would it be possible to get here? > > A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. Sounds good. Is this the only command then? It seems `WebInspectorProxy::append` could be concerning as well.
Devin Rousso
Comment 6 2020-07-23 13:46:39 PDT
Comment on attachment 405004 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >>>> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >>>> + return; >>> >>> How would it be possible to get here? >> >> A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. > > Sounds good. Is this the only command then? It seems `WebInspectorProxy::append` could be concerning as well. Based on this logic there should probably be a check for `WebInspectorProxy::append` too.
Devin Rousso
Comment 7 2020-07-23 13:47:11 PDT
ah lol @Joe beat me to it :P r=me as well :)
Blaze Burg
Comment 8 2020-07-23 15:07:14 PDT
Comment on attachment 405004 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405004&action=review >>>>> Source/WebKit/UIProcess/Inspector/WebInspectorProxy.cpp:671 >>>>> + return; >>>> >>>> How would it be possible to get here? >>> >>> A compromised WebContent process may try to trick UIProcess into using Inspector functionality even if it's disabled. We don't want that to happen. >> >> Sounds good. Is this the only command then? It seems `WebInspectorProxy::append` could be concerning as well. > > Based on this logic there should probably be a check for `WebInspectorProxy::append` too. I'll address ::append as well.
Blaze Burg
Comment 9 2020-07-23 15:15:47 PDT
Created attachment 405082 [details] Patch
EWS
Comment 10 2020-07-23 15:48:33 PDT
Committed r264803: <https://trac.webkit.org/changeset/264803> All reviewed patches have been landed. Closing bug and clearing flags on attachment 405082 [details].
Note You need to log in before you can comment on or make changes to this bug.