[webkit-reviews] review requested: [Bug 74706] [Qt] QtWebKit disregards LocalContentCanAccessFileUrls setting : [Attachment 136925] Proposed patch + layout test + Qt auto test (v4)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 12 10:16:22 PDT 2012
Bruno Abinader <bruno.de_oliveira at basyskom.de> has asked for review:
Bug 74706: [Qt] QtWebKit disregards LocalContentCanAccessFileUrls setting
https://bugs.webkit.org/show_bug.cgi?id=74706
Attachment 136925: Proposed patch + layout test + Qt auto test (v4)
https://bugs.webkit.org/attachment.cgi?id=136925&action=review
------- Additional Comments from Bruno Abinader <bruno.de_oliveira at basyskom.de>
Please check the updated patch with LayoutTests JavaScript identation fixes.
Details on security origin handling as follows:
I may not be fully aware of how security origin works together with
user-defined settings, but there's not a single query for WebCore::Settings
properties inside WebCore::SecurityOrigin. AFAIU these are used together by
WebCore::Document when initializing a new security context to enforce file path
separation only. Also from WebCore::Document code, a child frame is allowed to
access its ancestor even if WebCore::Settings' allowFileAccessFromFileURLs is
set to false, but not the opposite. So what this patch fixes is the
relationship from parent frames trying to load subframes. The
WebCore::Settings' allowFileAccessFromFileUrls was completely ignored in that
sense and thus might raise a security issue.
As you can see on WebCore::SubframeLoader::loadSubframe code, this patch
queries if the subframe's security origin is not unique neither can document
security origin can access that origin before reporting local load failure. So
in the end, security origin is taking into consideration, indeed.
More information about the webkit-reviews
mailing list