[webkit-dev] Security advice for linux browsers based on WebKit
Maciej Stachowiak
mjs at apple.com
Mon Aug 24 16:16:45 PDT 2009
Hi Adam,
I think it's probably possible to change the default on all platforms
other than Mac. I do not believe the compatibility issues we're
concerned about for Mac affect any other port. I think this would be a
good choice.
For what it's worth, NFS/AFS automounting also affects many Mac OS X
deployments. We may have to take special measures to detect remote
mountpoints to mitigate these risks.
Regards,
Maciej
On Aug 22, 2009, at 10:05 PM, Adam Barth wrote:
> If you don't use WebKit to build a browser on Linux, you can ignore
> this message.
>
> By default, WebKit allows local HTML files to inject script into any
> web page. That means that if you open a local HTML file on your
> machine, it can effective XSS every web site, including the user's
> bank or webmail provider. To protect against this threat, we have the
> following setting
>
> Settings::setAllowUniversalAccessFromFileURLs
>
> which disables this behavior. For legacy reasons, we default this
> setting to "true," but I'd like to encourage to use the "false"
> setting by default in your browser, especially if your browser runs on
> Linux.
>
> This issue is particularly important on Linux because many Linux users
> use a network file system, such as AFS or NFS, which maps the entire
> world into the local file system. For example, if I made my home
> directly world-readable, it's quite likely that I would be able to
> control this URL on your user's machines:
>
> file:///afs/cs.stanford.edu/u/abarth
>
> If you don't override WebKit's default setting, I might be able to
> leverage this ability to read your user's email or transact on your
> user's bank accounts.
>
> Of course, even with the "false" setting, I might still be able to
> read the contents of your user's /etc/passwd file or other sensitive
> information in your user's file system. Over time, I hope we can
> further restrict the privileges granted to file URLs. However,
> removing universal access is a necessary first step.
>
> Please let me know if you have any questions.
>
> Adam
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
More information about the webkit-dev
mailing list