[webkit-reviews] review denied: [Bug 73959] Web Inspector: allow cross-domain requests for inspector; use XHR, not custom InspectorFrontendHost methods to fetch things : [Attachment 118414] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Dec 11 09:38:08 PST 2011


Pavel Feldman <pfeldman at chromium.org> has denied Andrey Kosyakov
<caseq at chromium.org>'s request for review:
Bug 73959: Web Inspector: allow cross-domain requests for inspector; use XHR,
not custom InspectorFrontendHost methods to fetch things
https://bugs.webkit.org/show_bug.cgi?id=73959

Attachment 118414: Patch
https://bugs.webkit.org/attachment.cgi?id=118414&action=review

------- Additional Comments from Pavel Feldman <pfeldman at chromium.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=118414&action=review


> Source/WebCore/inspector/InspectorFrontendHost.cpp:137
> +	   SecurityPolicy::addOriginAccessWhitelistEntry(*m_frontendOrigin,
schemasToAllowRequestsFor[i], "", true);

We should not grant additional privileges to the front-end origin since we can
compromise the embedder. It is up to the embedder to choose the origin for the
front-end and granting additional privileges there will be unexpected.


More information about the webkit-reviews mailing list