[webkit-reviews] review denied: [Bug 178565] XMLHttpRequest should not treat file URLs as same origin : [Attachment 324475] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Oct 20 17:46:36 PDT 2017
Daniel Bates <dbates at webkit.org> has denied Brent Fulgham
<bfulgham at webkit.org>'s request for review:
Bug 178565: XMLHttpRequest should not treat file URLs as same origin
https://bugs.webkit.org/show_bug.cgi?id=178565
Attachment 324475: Patch
https://bugs.webkit.org/attachment.cgi?id=324475&action=review
--- Comment #23 from Daniel Bates <dbates at webkit.org> ---
Comment on attachment 324475
--> https://bugs.webkit.org/attachment.cgi?id=324475
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=324475&action=review
>> Source/WebCore/loader/DocumentThreadableLoader.cpp:133
>> + if (request.requester() == ResourceRequest::Requester::XHR &&
request.url().protocolIs("file") && !securityOrigin().hasUniversalAccess())
>
> Can we add a helper function to securityOrigin to check this condition
instead?
> Spreading out security checks like this everywhere could lead to different
parts of WebCore having different cross origin vulnerabilities.
request.url().protocolIs("file") this is not sufficient. We have other
protocols that are file like.
More information about the webkit-reviews
mailing list