NEW 110831
Plug-ins from third-party domains in the top frame can still set LSOs 
https://bugs.webkit.org/show_bug.cgi?id=110831
Summary Plug-ins from third-party domains in the top frame can still set LSOs
Vicki Pfau
Reported 2013-02-25 18:14:08 PST
Since r127513, plug-ins from third-party contexts have been forced into private browsing mode; however, this patch only defines a third-party context as a subframe; an embed to a third-party domain in the main frame will not be forced into private browsing mode. Changing this to force third-party domain embeds, however, will break upload sites e.g. for Flash games that use CDNs or subdomains to ensure cookies are safe, such as Newgrounds and Kongregate.
Attachments
Patch (8.51 KB, patch)
2013-02-25 18:30 PST, Vicki Pfau 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Vicki Pfau
Comment 1 2013-02-25 18:15:23 PST
<rdar://problem/12610535>
Vicki Pfau
Comment 2 2013-02-25 18:30:07 PST
Created attachment 190179 [details] Patch
Maciej Stachowiak
Comment 3 2013-02-25 20:55:15 PST
That's worrisome. How bad do these sites break? We should probably discuss this offline.
Darin Adler
Comment 4 2013-05-13 18:40:01 PDT
Comment on attachment 190179 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=190179&action=review Code seems OK, but a bit confusing. > Source/WebCore/ChangeLog:15 > + (WebCore): Please remove bogus change log lines. > Source/WebCore/ChangeLog:17 > + (SecurityOrigin): Please remove bogus change log lines. > Source/WebCore/page/SecurityOrigin.cpp:386 > +bool SecurityOrigin::canAccessPluginStorage(const WebCore::KURL &url) const The prefix and formatting here is wrong. Should be: const KURL& url > Source/WebCore/page/SecurityOrigin.cpp:395 > + if (!url.isValid()) > + return true; Seems strange that the create function doesn’t do this check. > Source/WebCore/page/SecurityOrigin.cpp:398 > + RefPtr<SecurityOrigin> origin = create(url); > + return canAccessStorage(origin.get()); No need for the local variable. Reads better as: return canAccessStorage(create(url).get()); Also, wouldn’t it be better to call canAccessPuginStorage here instead of canAccessStorage? > Source/WebCore/page/SecurityOrigin.h:153 > + bool canAccessPluginStorage(const KURL&) const; To me it seems like this argument needs a name. Not at all clear what this URL represents. > LayoutTests/http/tests/security/cross-origin-same-frame-plugin-expected.txt:2 > +CONSOLE MESSAGE: line 11: false > +CONSOLE MESSAGE: line 12: false These sure are cryptic. Could you improve the test to make it clearer what these are about? > LayoutTests/platform/mac-wk2/http/tests/security/cross-origin-same-frame-plugin-expected.txt:2 > +CONSOLE MESSAGE: line 11: true > +CONSOLE MESSAGE: line 12: false These sure are cryptic. Could you improve the test to make it clearer what these are about?
Note You need to log in before you can comment on or make changes to this bug.