RESOLVED FIXED 235616
[iOS][macOS] Block access to Icon Services
https://bugs.webkit.org/show_bug.cgi?id=235616
Summary [iOS][macOS] Block access to Icon Services
Per Arne Vollan
Reported 2022-01-25 15:46:22 PST
Stop creating a sandbox extension for the Icon service when the attachment element is enabled, since local testing indicates that this is not needed.
Attachments
Patch (8.64 KB, patch)
2022-01-25 15:48 PST, Per Arne Vollan
darin: review+
Patch (7.55 KB, patch)
2022-01-27 13:36 PST, Per Arne Vollan
no flags
Patch (7.55 KB, patch)
2022-01-27 13:37 PST, Per Arne Vollan
no flags
Per Arne Vollan
Comment 1 2022-01-25 15:48:07 PST
Darin Adler
Comment 2 2022-01-25 17:03:30 PST
Comment on attachment 449975 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=449975&action=review > Source/WebKit/ChangeLog:3 > + [iOS][macOS] Block access to Icon service I think it's "Icon Services" > Source/WebKit/ChangeLog:9 > + Stop creating a sandbox extension for the Icon service when the attachment element is enabled, > + since local testing indicates that this is not needed. I’m kind of surprised. Maybe we don’t put the icon into <input type=file> element on the webpage any more, like we did in the past. Did you test with a file with an unusual icon to make sure the icon was correct?
Per Arne Vollan
Comment 3 2022-01-27 13:36:58 PST
Per Arne Vollan
Comment 4 2022-01-27 13:37:31 PST
Per Arne Vollan
Comment 5 2022-01-27 13:42:58 PST
(In reply to Per Arne Vollan from comment #1) > Created attachment 449975 [details] > Patch (In reply to Darin Adler from comment #2) > Comment on attachment 449975 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=449975&action=review > > > Source/WebKit/ChangeLog:3 > > + [iOS][macOS] Block access to Icon service > > I think it's "Icon Services" > Fixed! > > Source/WebKit/ChangeLog:9 > > + Stop creating a sandbox extension for the Icon service when the attachment element is enabled, > > + since local testing indicates that this is not needed. > > I’m kind of surprised. Maybe we don’t put the icon into <input type=file> > element on the webpage any more, like we did in the past. Did you test with > a file with an unusual icon to make sure the icon was correct? That is a good point. This change should only affect apps that enable the attachment element, like Mail, etc. Based on your comment, I see that the original patch is incorrectly changing the sandbox, since an extension is still in use in file upload dialogs. I have updated the patch. Thanks for reviewing!
Per Arne Vollan
Comment 6 2022-01-27 16:12:18 PST
EWS
Comment 7 2022-02-16 15:24:32 PST
Committed r289972 (247358@main): <https://commits.webkit.org/247358@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 450173 [details].
Note You need to log in before you can comment on or make changes to this bug.