[Webkit-unassigned] [Bug 12107] Security Regression: Plugins load remote javascript in embedded page's context
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 4 06:02:34 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12107
ddkilzer at webkit.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ggaren at apple.com
------- Comment #6 from ddkilzer at webkit.org 2007-01-04 06:02 PDT -------
Tracing through WebKit while loading hreftrack.html, I found that
[WebPluginController webPlugInContainerLoadRequest:inFrame:] in
WebKit/Plugins/WebPluginController.mm appears to be the weak link (where the
JavaScript from the QuickTime movie on another site is implicitly trusted and
run in the current frame's context).
I've added a FIXME comment below where I think this should happen:
NSString *JSString = [[request URL] _webkit_scriptIfJavaScriptURL];
if (JSString) {
if ([frame findFrameNamed:target] != frame) {
LOG_ERROR("JavaScript requests can only be made on the frame that
contains the plug-in");
return;
}
// FIXME: Verify domain of QuickTime (or other) object matches domain
of current frame
[[frame _bridge] stringByEvaluatingJavaScriptFromString:JSString];
} else {
if (!request) {
LOG_ERROR("could not load URL %@", [request URL]);
return;
}
[frame _frameLoader]->load(request, target);
}
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list