[webkit-gtk] Setting to block displaying and/or running insecure content on secure pages
Marco Peereboom
slash at peereboom.us
Fri Sep 30 08:15:26 PDT 2011
While researching the BEAST exploit I did some tests and found out that
webkit is susceptible to one of the preconditions of the exploit.
Namely the downloading and executing scripts and content outside of the
https session.
Now we can argue the likelihood of the BEAST exploit in webkit but that
isn't my point at all (I personally think it is exceedingly unlikely).
The browser that I wrote uses whitelists to determine what domains are
allowed to run javascript. By default webkit allows running of cross
domain scripts so when I whitelist a domain a site currently can and
will download scripts from another domain I might not trust.
I did a proof of concept with the following web page:
https://www.cyphertite.com/beasttest.html
It downloads a picture and resizes it when JS is enabled even though I
don't trust the domain where the picture and JS originated. Speaking as
a proof of concept of course ;-)
I rigged webkit to set m_allowRunningOfInsecureContent and
m_allowDisplayOfInsecureContent to false and the results were exactly
what I was expecting and looking for. So I went ahead and started
writing a patch to expose those settings and as I was doing that I ran
across this bug report and patch:
https://bugs.webkit.org/show_bug.cgi?id=58378
It exposes the settings on all platforms, perfect ;-)
I would even argue that these settings should be disabled by default
because I can only come up with 3 reasons to enable it and all of them
are nefarious. So allowing browser authors to make this decision for
themselves is therefore the best next thing IMO.
Thanks for considering this.
More information about the webkit-gtk
mailing list