RESOLVED FIXED 64080
Web Inspector: secure access to extensions API 
https://bugs.webkit.org/show_bug.cgi?id=64080
Summary Web Inspector: secure access to extensions API
Andrey Kosyakov
Reported 2011-07-07 05:35:45 PDT
Use relative filenames instead of URLs when specifying extension resources (panels, sidebars, icons)/ Also, we used to allow extension requests for any iframes injected into WebInspecor front-end. This patch changes it to only allow extension requests coming from the same origin as the extension we explicitly loaded.
Attachments
patch (7.84 KB, patch)
2011-07-07 05:38 PDT, Andrey Kosyakov 		pfeldman: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Andrey Kosyakov
Comment 1 2011-07-07 05:38:03 PDT
Created attachment 99969 [details] patch
Pavel Feldman
Comment 2 2011-07-07 06:46:28 PDT
Comment on attachment 99969 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=99969&action=review > LayoutTests/platform/gtk/Skipped:-1554 > -inspector/ Thanks for making inspector tests pass on gtk. > Source/WebCore/inspector/front-end/ExtensionServer.js:495 > + } while (resourcePath !== old_path); split("/"), followed by a push on normal / pull on ..
Andrey Kosyakov
Comment 3 2011-07-07 11:42:12 PDT
A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581
Andras Becsi
Comment 4 2011-07-08 04:45:08 PDT
(In reply to comment #3) > A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581 After this change inspector/extensions/extensions.html times out at least on the Qt Linux Release, SnowLeopard Intel Release, Windows 7 Release bots and inspector/profiler/cpu-profiler-profiling.html on the Qt Linux Release bot.
Andrey Kosyakov
Comment 5 2011-07-08 04:46:08 PDT
(In reply to comment #4) > (In reply to comment #3) > > A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581 > > After this change inspector/extensions/extensions.html times out at least on the Qt Linux Release, SnowLeopard Intel Release, Windows 7 Release bots and inspector/profiler/cpu-profiler-profiling.html on the Qt Linux Release bot. Yup, I just noticed this as well, the fix is coming in a few minutes.
Andrey Kosyakov
Comment 6 2011-07-08 04:48:47 PDT
(In reply to comment #5) > (In reply to comment #4) > > (In reply to comment #3) > > > A variation of patch landed as r90581: http://trac.webkit.org/changeset/90581 > > > > After this change inspector/extensions/extensions.html times out at least on the Qt Linux Release, SnowLeopard Intel Release, Windows 7 Release bots and inspector/profiler/cpu-profiler-profiling.html on the Qt Linux Release bot. > > Yup, I just noticed this as well, the fix is coming in a few minutes. Actually, not. I'll rather rollback for the time being.
Note You need to log in before you can comment on or make changes to this bug.