Bug 113345 - View-source iframes are dangerous (and not very useful).
Summary: View-source iframes are dangerous (and not very useful).
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Thomas Sepez
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-26 14:47 PDT by Thomas Sepez
Modified: 2013-04-18 16:04 PDT (History)
11 users (show)

See Also:


Attachments
Patch. (6.02 KB, patch)
2013-03-29 14:05 PDT, Thomas Sepez
no flags Details | Formatted Diff | Diff
Patch, fix blank line. (5.54 KB, patch)
2013-03-29 14:07 PDT, Thomas Sepez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Sepez 2013-03-26 14:47:16 PDT
Upstreamed from https://code.google.com/p/chromium/issues/detail?id=196636.

Memorable comments from that bug:
Collin: "View-source iframes seem dangerous in general; create a "captcha" that steals CSRF tokens, for example."
Justin: "We specifically disallow navigation to view-source URLs because we consider them unsafe. So allowing them via an iframe attribute is just a short trip to crazytown, population Chrome."
Adam: "It's non-standard and not supported by other browsers, AFAIK."

Platforms should have the option of excluding them, if they so desire.
Comment 1 Thomas Sepez 2013-03-29 14:05:10 PDT
Created attachment 195795 [details]
Patch.
Comment 2 Thomas Sepez 2013-03-29 14:07:55 PDT
Created attachment 195797 [details]
Patch, fix blank line.
Comment 3 Adam Barth 2013-03-30 10:51:58 PDT
We might run into compat trouble, but I doubt it.
Comment 4 WebKit Review Bot 2013-03-30 11:21:13 PDT
Comment on attachment 195797 [details]
Patch, fix blank line.

Clearing flags on attachment: 195797

Committed r147280: <http://trac.webkit.org/changeset/147280>
Comment 5 WebKit Review Bot 2013-03-30 11:21:16 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Elliott Sprehn 2013-04-18 15:06:54 PDT
How do we know this didn't break real pages using viewsource? It seems like we should have restricted this to same origin iframes (and data urls). It's a pretty useful feature.
Comment 7 Chris Evans 2013-04-18 15:11:19 PDT
We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?
Comment 8 Elliott Sprehn 2013-04-18 15:18:09 PDT
(In reply to comment #7)
> We don't believe it's used by pages, because we believe it's not supported by other browsers (IE, FireFox)?

That logic has never been true. :) Lots of Webkit only features appear in pages, ex. custom scrollbars. 

This feature _was_ useful for showing the contents of a contenteditable area in a syntax highlighted way, or showing the source of a blog post. Ex. your blog can show the post HTML to you.

I'd prefer if we could histogram this first, or restrict it to same origin iframes.
Comment 9 Elliott Sprehn 2013-04-18 16:04:32 PDT
I discussed with ojan and adamk and they both think no one uses this feature, so lets let it die! :)