[webkit-reviews] review denied: [Bug 61581] Check access policy on all storage operations : [Attachment 95072] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 26 17:01:14 PDT 2011
Adam Barth <abarth at webkit.org> has denied jochen at chromium.org's request for
review:
Bug 61581: Check access policy on all storage operations
https://bugs.webkit.org/show_bug.cgi?id=61581
Attachment 95072: Patch
https://bugs.webkit.org/attachment.cgi?id=95072&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=95072&action=review
> Source/WebCore/storage/StorageArea.h:58
> + virtual bool canAccessStorage(Frame* sourceFrame) const = 0;
Typically we don't like to use Frames for security checks because it's slightly
loose as to which Document is in the Frame. Instead, we prefer to use Document
or (ideally) SecurityOrigin. In this case, it seems like StorageArea is mainly
using Frame as its context object, so that might be something to fix in the
future rather than in this patch.
More generally, it seems like this work should be done at the WebKit layer (not
the WebCore layer) since you're just asking the embedder whether this is
allowed.
More information about the webkit-reviews
mailing list