jochen at chromium.org
Mon Mar 18 00:30:39 PDT 2013
On Sun, Mar 17, 2013 at 8:26 PM, Geoffrey Garen <ggaren at apple.com> wrote:
> Hi folks.
> (1) Paste / Drag n Drop / editing: Remove script elements and script
> attributes from untrusted source markup at parse time.
> and/or CSP at runtime.
> There are problems with mode (2):
> The Web Inspector, bookmarklets, extensions, Safari Reader, and Safari
I'm not sure I understand:
We only invoke canExecuteScript for scripts in the main world, so running
extensions (or anything else that's running in an isolated world) should
not be affected.
Also, the actual permission check is done via
FrameLoaderClient::allowScript and ::allowScriptFromSource, so blocking
e.g. only scripts from the web, but not from the inspector should also be
> As a defense against phishing attacks, mail clients and other web content
> (FWIW, WebKit violates the CSP specification in this regard: "Enforcing a
> CSP policy should not interfere with the operation of user-supplied scripts
> * It subjects users to XSS attacks.
> This is a risky proposition. Operations that clone or adopt nodes from the
> the user to attack. Experience shows that this is a difficult programming
> model to get right.
> * It's hard to verify.
> We have 18 different call sites to canExecuteScripts() in WebKit, not
> counting the call sites that pertain to plug-ins. Are you confident we've
> caught all the right places? Do you know if the feature you just added
> needs to call canExecuteScripts()?
> * It's two different ways to do the same thing.
> Simplicity is a goal of the WebKit project.
> can be removed.
> One potential downside to this proposal is that it changes the document's
> internal structure. Since the changes are not generally observable, since
> they only take place when we're already making much bigger changes by
> preventing whole scripts from running, and since we haven't seen any
> compatibility problems from our paste / drag n drop / editing behavior in
> this regard, I think this downside is acceptable.
> Another potential downside is that CSP errors will be reported at parse
> time instead of runtime. FWIW, some authors might see this as an upside.
> Any objections?
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev