Bug 11885 - Cross-frame scripting checks should not restrict access to data: URLs
: Cross-frame scripting checks should not restrict access to data: URLs
Status: NEW
: WebKit
WebCore JavaScript
: 420+
: Macintosh Mac OS X 10.4
: P2 Normal
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2006-12-19 16:09 PST by
Modified: 2011-10-13 15:39 PST (History)


Attachments
Wrong patch (has vulnerabilities) (4.17 KB, patch)
2010-11-07 23:45 PST, Adam Barth
no flags Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-12-19 16:09:03 PST
See http://bugs.webkit.org/attachment.cgi?id=11925 for an example of a script that fails because of it.
------- Comment #1 From 2008-01-23 22:33:51 PST -------
I don't think it would be a good idea to completely remove the restriction, but rather we need to define a safe subset of cases when cross-frame scripting with data: URL is allowed.  It would a good first step to document exactly what Firefox and Opera do.
------- Comment #2 From 2008-01-23 22:39:46 PST -------
Some of the other folks CCed on this bug may know the Firefox and Opera behavior off-hand, but Collin and I would be happy to try to figure it out experimentally.
------- Comment #3 From 2008-01-24 21:15:40 PST -------
I believe the current behavior of Firefox is an XSS security risk.
------- Comment #4 From 2008-01-24 21:27:35 PST -------
See https://bugzilla.mozilla.org/show_bug.cgi?id=255107 for some discussion of the security risk.
------- Comment #5 From 2009-02-14 16:40:25 PST -------
HTML 5 specs Firefox's behavior:

"If a Document or image was generated from a data: URL found in another Document or in a script
The origin is the origin of the Document or script in which the data: URL was found."
------- Comment #6 From 2010-03-29 11:11:04 PST -------
Some of the public-web-security discussion:
http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0112.html
http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0121.html

I firmly believe we should try to make the Gecko policy work, mainly for the reasons Maciej stated in the second of those links. It makes iframes much easier to work with.
------- Comment #7 From 2010-11-07 23:45:33 PST -------
Created an attachment (id=73217) [details]
Wrong patch (has vulnerabilities)
------- Comment #8 From 2010-11-07 23:46:35 PST -------
I think we should do this, but the implementation is not trivial.  The approach in the above patch doesn't work, sadly.