WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
11885
Cross-frame scripting checks should not restrict access to data: URLs
https://bugs.webkit.org/show_bug.cgi?id=11885
Summary
Cross-frame scripting checks should not restrict access to data: URLs
Geoffrey Garen
Reported
2006-12-19 16:09:03 PST
See
http://bugs.webkit.org/attachment.cgi?id=11925
for an example of a script that fails because of it.
Attachments
Wrong patch (has vulnerabilities)
(4.17 KB, patch)
2010-11-07 23:45 PST
,
Adam Barth
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Sam Weinig
Comment 1
2008-01-23 22:33:51 PST
I don't think it would be a good idea to completely remove the restriction, but rather we need to define a safe subset of cases when cross-frame scripting with data: URL is allowed. It would a good first step to document exactly what Firefox and Opera do.
Adam Barth
Comment 2
2008-01-23 22:39:46 PST
Some of the other folks CCed on this bug may know the Firefox and Opera behavior off-hand, but Collin and I would be happy to try to figure it out experimentally.
Maciej Stachowiak
Comment 3
2008-01-24 21:15:40 PST
I believe the current behavior of Firefox is an XSS security risk.
Jesse Ruderman
Comment 4
2008-01-24 21:27:35 PST
See
https://bugzilla.mozilla.org/show_bug.cgi?id=255107
for some discussion of the security risk.
Adam Barth
Comment 5
2009-02-14 16:40:25 PST
HTML 5 specs Firefox's behavior: "If a Document or image was generated from a data: URL found in another Document or in a script The origin is the origin of the Document or script in which the data: URL was found."
Ojan Vafai
Comment 6
2010-03-29 11:11:04 PDT
Some of the public-web-security discussion:
http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0112.html
http://lists.w3.org/Archives/Public/public-web-security/2009Dec/0121.html
I firmly believe we should try to make the Gecko policy work, mainly for the reasons Maciej stated in the second of those links. It makes iframes much easier to work with.
Adam Barth
Comment 7
2010-11-07 23:45:33 PST
Created
attachment 73217
[details]
Wrong patch (has vulnerabilities)
Adam Barth
Comment 8
2010-11-07 23:46:35 PST
I think we should do this, but the implementation is not trivial. The approach in the above patch doesn't work, sadly.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug