Bug 64080 - Web Inspector: secure access to extensions API
Summary: Web Inspector: secure access to extensions API
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated) (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Andrey Kosyakov
URL:
Keywords:
Depends on: 64124 64158
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-07 05:35 PDT by Andrey Kosyakov
Modified: 2011-07-08 04:51 PDT (History)
11 users (show)

See Also:


Attachments
patch (7.84 KB, patch)
2011-07-07 05:38 PDT, Andrey Kosyakov
pfeldman: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Kosyakov 2011-07-07 05:35:45 PDT
Use relative filenames instead of URLs when specifying extension resources (panels, sidebars, icons)/

Also, we used to allow extension requests for any iframes injected into WebInspecor front-end. This patch changes it to only allow extension requests coming from the same origin as the extension we explicitly loaded.
Comment 1 Andrey Kosyakov 2011-07-07 05:38:03 PDT
Created attachment 99969 [details]
patch
Comment 2 Pavel Feldman 2011-07-07 06:46:28 PDT
Comment on attachment 99969 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=99969&action=review

> LayoutTests/platform/gtk/Skipped:-1554
> -inspector/

Thanks for making inspector tests pass on gtk.

> Source/WebCore/inspector/front-end/ExtensionServer.js:495
> +        } while (resourcePath !== old_path);

split("/"), followed by a push on normal / pull on ..
Comment 3 Andrey Kosyakov 2011-07-07 11:42:12 PDT
A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581
Comment 4 Andras Becsi 2011-07-08 04:45:08 PDT
(In reply to comment #3)
> A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581

After this change inspector/extensions/extensions.html times out at least on the Qt Linux Release, SnowLeopard Intel Release, Windows 7 Release bots and inspector/profiler/cpu-profiler-profiling.html on the Qt Linux Release bot.
Comment 5 Andrey Kosyakov 2011-07-08 04:46:08 PDT
(In reply to comment #4)
> (In reply to comment #3)
> > A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581
> 
> After this change inspector/extensions/extensions.html times out at least on the Qt Linux Release, SnowLeopard Intel Release, Windows 7 Release bots and inspector/profiler/cpu-profiler-profiling.html on the Qt Linux Release bot.

Yup, I just noticed this as well, the fix is coming in a few minutes.
Comment 6 Andrey Kosyakov 2011-07-08 04:48:47 PDT
(In reply to comment #5)
> (In reply to comment #4)
> > (In reply to comment #3)
> > > A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581
> > 
> > After this change inspector/extensions/extensions.html times out at least on the Qt Linux Release, SnowLeopard Intel Release, Windows 7 Release bots and inspector/profiler/cpu-profiler-profiling.html on the Qt Linux Release bot.
> 
> Yup, I just noticed this as well, the fix is coming in a few minutes.

Actually, not. I'll rather rollback for the time being.