Summary: | New spec: Block external protocol handler in sandboxed frames | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Arthur Sonzogni <arthursonzogni> | ||||||||||||
Component: | DOM | Assignee: | Chris Dumez <cdumez> | ||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||
Severity: | Normal | CC: | achristensen, bfulgham, cdumez, ews-watchlist, ggaren, hi, mkwst, thorton, webkit-bug-importer, wenson_hsieh | ||||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||||
Version: | WebKit Nightly Build | ||||||||||||||
Hardware: | Unspecified | ||||||||||||||
OS: | Unspecified | ||||||||||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=237269 | ||||||||||||||
Bug Depends on: | 232769, 236516 | ||||||||||||||
Bug Blocks: | |||||||||||||||
Attachments: |
|
Description
Arthur Sonzogni
2021-10-14 01:51:12 PDT
Created attachment 443258 [details]
Patch
Comment on attachment 443258 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=443258&action=review Vaguely worried about ads that want to pop to the App Store. Also about third party app compatibility. But no concrete examples of either. > Source/WebKit/ChangeLog:13 > + an external apps. “An external apps” > Source/WebKit/UIProcess/WebPageProxy.cpp:5359 > + WEBPAGEPROXY_RELEASE_LOG_ERROR(Process, "Ignoring request to load this main resource because it has a custom protocol and comes from a sandbox iframe"); “Sandboxed”? Also should we log to the inspector too? Created attachment 443305 [details]
Patch
Created attachment 443323 [details]
Patch
Created attachment 443438 [details]
Patch
The iOS API test failure is caused by Bug 232769. Created attachment 443478 [details]
Patch
Ping review? Comment on attachment 443478 [details]
Patch
R=me
Committed r285501 (244025@main): <https://commits.webkit.org/244025@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 443478 [details]. Hi Chris, Some data I gathered on Chrome about enabling this. This would impact ~0.015% pages. Among them, a good quarter is triggered from https://teams.microsoft.com with the msteam: protocol. They have been notified about it here: https://github.com/whatwg/html/issues/2191#issuecomment-952283644 and we hope this will contribute to reduce the number of impacted pages. I just wanted to let you know this is still not enforced by default in Chrome, so you may get some websites complaining about it. On the other side, I am expecting a part of this is coming from malicious ads, but I don't have any estimations, only some reports that this is maliciously used in the wild. Getting Safari to ship this would greatly help me enabling this in Chrome too, so I am very happy! I just wanted to warn you about the risk and I will let you decide if 0.015% is acceptable. |