Summary: | Web Inspector: inspector follows javascript: hrefs as relative | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Rosen Dash <rosen.dash> | ||||||
Component: | Web Inspector (Deprecated) | Assignee: | Alexander Pavlov (apavlov) <apavlov> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | apavlov, bweinstein, joepeck, keishi, loislo, pfeldman, pmuellr, rik, timothy, yurys | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
URL: | http://dedimine.com/public/crbug-inspector-uri.html | ||||||||
Attachments: |
|
Description
Rosen Dash
2011-11-15 03:29:27 PST
Created attachment 115170 [details]
Patch
Comment on attachment 115170 [details]
Patch
Should we prevent running the script in the Inspector? It seems we should send the script to the inspected page to exec.
Created attachment 115372 [details]
Patch
(In reply to comment #2) > (From update of attachment 115170 [details]) > Should we prevent running the script in the Inspector? It seems we should send the script to the inspected page to exec. Right, running the code in the Inspector would be a huge security hole. We decided not to linkify the "javascript:..." URLs altogether. Comment on attachment 115372 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=115372&action=review > Source/WebCore/inspector/front-end/ResourceUtils.js:291 > + if (href.indexOf("javascript:") === 0) I'd rather do this check at the call site and return href here, otherwise looks good. Committed r100588: <http://trac.webkit.org/changeset/100588> |