Bug 43928 - Web Inspector: Nested fake workers don't handle about:blank url
Summary: Web Inspector: Nested fake workers don't handle about:blank url
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated) (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL: http://inst.eecs.berkeley.edu/~pathor...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-12 12:19 PDT by Patrick Horn
Modified: 2014-08-03 19:22 PDT (History)
9 users (show)

See Also:


Attachments
If URL is about:blank, use __devtools.location instead. (800 bytes, patch)
2010-08-12 12:19 PDT, Patrick Horn
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Horn 2010-08-12 12:19:54 PDT
Created attachment 64247 [details]
If URL is about:blank, use __devtools.location instead.

I have an application which uses subworkers if available, as described in MDC here:
https://developer.mozilla.org/en/Using_web_workers#Spawning_subworkers

When debugging workers is enabled, creating the worker fails in the URI class because location.href of the iframe is always about:blank. The call which passes in the bad location is:
scriptURL = this._expandURLAndCheckOrigin(document.baseURI, location.href, url);

My proposed fix is to lookup the origin in the same way as _importScripts, by using the location set by the parent frame.
I'm fairly certain this will not cause a XSS hole because the iframe is an about:blank URL, which means that no malicious code should not be able to affect the parent page--the __devtools variable could be faked but must have been set by the parent page, which implies some trust.

The attached diff allows subworkers to work when the debug box is checked. (The fibbonacci page produces the right answer 55)