On Fri, Mar 18, 2011 at 10:46 PM, Joe Andrieu <joe@andrieu.net> wrote:
I've been working with the Chromium Embedded Framework (in windows) which gives webkit version 534.20. I am trying to get a custom scheme to work with XHR.
By way of background, I first updated the Cef code so that custom schemes can be declared "non-standard", which avoids certain parsing errors. Non-standard schemes include "data", "javascript", "file". Webkit has a mechanism for registering standard schemes, so all I needed to do was /not/ register custom schemes that were non-standard.
My custom scheme works fine at the beginning of the request. Chromium/Cef successfully calls my scheme handler and my response data is read. But it fails when the DocumentThreadableLoader::DocumentThreadableLoader constructor starts checking for cross-origin security.
I was able to get the code to "work" by bypassing the origin tests and simply calling "loadRequest" in that constructor.
As a fix, I'd like to propose that non-standard scheme URLs be accessible from any security origin.
I'm afraid this would be a security vulnerability. It would be very dangerous to default unusual schemes to be accessible from any security origin. :( I'm not entirely sure what you're trying to do, but it's likely to can return CORS headers from your custom URL handler that allow access from every security origin. Adam
A patch to SecurityOrigin::canRequest could set DocumentThreadableLoader::m_sameOriginRequest to true if url_util::DoIsStandard returns false. This would use Webkit's existing whitelist mechanism for standard schemes. If necessary, exclusions could be hardcoded if certain non-standard schemes are inappropriate for this policy.
Since this could have significant security implications, I wanted to run it by here first.
I realize that my use case is stretching XMLHttpRequest well past http, but this would allow using custom schemes with libraries that support AJAX requests, such as JSTree.
Curiously enough, I ran into the "rdar" scheme in the code, referencing Apple's internal bug database. Given the current webkit security policy, it would be impossible to access rdar URLs via Ajax. My proposed change would allow it (assuming an appropriate scheme handler is available).
FWIW, I'd be happy to figure out and provide a patch.
-j
-- Joe Andrieu joe@andrieu.net +1 (805) 705-8651
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev