[webkit-reviews] review denied: [Bug 178565] XMLHttpRequest should not treat file URLs as same origin : [Attachment 324475] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Oct 20 17:46:36 PDT 2017


Daniel Bates <dbates at webkit.org> has denied Brent Fulgham
<bfulgham at webkit.org>'s request for review:
Bug 178565: XMLHttpRequest should not treat file URLs as same origin
https://bugs.webkit.org/show_bug.cgi?id=178565

Attachment 324475: Patch

https://bugs.webkit.org/attachment.cgi?id=324475&action=review




--- Comment #23 from Daniel Bates <dbates at webkit.org> ---
Comment on attachment 324475
  --> https://bugs.webkit.org/attachment.cgi?id=324475
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=324475&action=review

>> Source/WebCore/loader/DocumentThreadableLoader.cpp:133
>> +	if (request.requester() == ResourceRequest::Requester::XHR &&
request.url().protocolIs("file") && !securityOrigin().hasUniversalAccess())
> 
> Can we add a helper function to securityOrigin to check this condition
instead?
> Spreading out security checks like this everywhere could lead to different
parts of WebCore having different cross origin vulnerabilities.

request.url().protocolIs("file") this is not sufficient. We have other
protocols that are file like.


More information about the webkit-reviews mailing list