[Webkit-unassigned] [Bug 12107] Security Regression: Plugins load remote javascript in embedded page's context

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 4 06:02:34 PST 2007


http://bugs.webkit.org/show_bug.cgi?id=12107


ddkilzer at webkit.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ggaren at apple.com




------- Comment #6 from ddkilzer at webkit.org  2007-01-04 06:02 PDT -------
Tracing through WebKit while loading hreftrack.html, I found that
[WebPluginController webPlugInContainerLoadRequest:inFrame:] in
WebKit/Plugins/WebPluginController.mm appears to be the weak link (where the
JavaScript from the QuickTime movie on another site is implicitly trusted and
run in the current frame's context).

I've added a FIXME comment below where I think this should happen:

    NSString *JSString = [[request URL] _webkit_scriptIfJavaScriptURL];
    if (JSString) {
        if ([frame findFrameNamed:target] != frame) {
            LOG_ERROR("JavaScript requests can only be made on the frame that
contains the plug-in");
            return;
        }
        // FIXME: Verify domain of QuickTime (or other) object matches domain
of current frame
        [[frame _bridge] stringByEvaluatingJavaScriptFromString:JSString];
    } else {
        if (!request) {
            LOG_ERROR("could not load URL %@", [request URL]);
            return;
        }
        [frame _frameLoader]->load(request, target);
    }


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list