110831 – Plug-ins from third-party domains in the top frame can still set LSOs

Bug 110831 - Plug-ins from third-party domains in the top frame can still set LSOs

Summary: Plug-ins from third-party domains in the top frame can still set LSOs

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Vicki Pfau

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-02-25 18:14 PST by Vicki Pfau
Modified:	2013-05-13 18:40 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (8.51 KB, patch) 2013-02-25 18:30 PST, Vicki Pfau	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vicki Pfau 2013-02-25 18:14:08 PST

Since r127513, plug-ins from third-party contexts have been forced into private browsing mode; however, this patch only defines a third-party context as a subframe; an embed to a third-party domain in the main frame will not be forced into private browsing mode.

Changing this to force third-party domain embeds, however, will break upload sites e.g. for Flash games that use CDNs or subdomains to ensure cookies are safe, such as Newgrounds and Kongregate.

Comment 1 Vicki Pfau 2013-02-25 18:15:23 PST

<rdar://problem/12610535>

Comment 2 Vicki Pfau 2013-02-25 18:30:07 PST

Created attachment 190179 [details]
Patch

Comment 3 Maciej Stachowiak 2013-02-25 20:55:15 PST

That's worrisome. How bad do these sites break? We should probably discuss this offline.

Comment 4 Darin Adler 2013-05-13 18:40:01 PDT

Comment on attachment 190179 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=190179&action=review

Code seems OK, but a bit confusing.

> Source/WebCore/ChangeLog:15
> +        (WebCore):

Please remove bogus change log lines.

> Source/WebCore/ChangeLog:17
> +        (SecurityOrigin):

Please remove bogus change log lines.

> Source/WebCore/page/SecurityOrigin.cpp:386
> +bool SecurityOrigin::canAccessPluginStorage(const WebCore::KURL &url) const

The prefix and formatting here is wrong. Should be:

    const KURL& url

> Source/WebCore/page/SecurityOrigin.cpp:395
> +    if (!url.isValid())
> +        return true;

Seems strange that the create function doesn’t do this check.

> Source/WebCore/page/SecurityOrigin.cpp:398
> +    RefPtr<SecurityOrigin> origin = create(url);
> +    return canAccessStorage(origin.get());

No need for the local variable. Reads better as:

    return canAccessStorage(create(url).get());

Also, wouldn’t it be better to call canAccessPuginStorage here instead of canAccessStorage?

> Source/WebCore/page/SecurityOrigin.h:153
> +    bool canAccessPluginStorage(const KURL&) const;

To me it seems like this argument needs a name. Not at all clear what this URL represents.

> LayoutTests/http/tests/security/cross-origin-same-frame-plugin-expected.txt:2
> +CONSOLE MESSAGE: line 11: false
> +CONSOLE MESSAGE: line 12: false

These sure are cryptic. Could you improve the test to make it clearer what these are about?

> LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-same-frame-plugin-expected.txt:2
> +CONSOLE MESSAGE: line 11: true
> +CONSOLE MESSAGE: line 12: false

These sure are cryptic. Could you improve the test to make it clearer what these are about?