[Webkit-unassigned] [Bug 12107] Security Regression: Plugins load remote javascript in embedded page's context
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 4 06:55:28 PST 2007
http://bugs.webkit.org/show_bug.cgi?id=12107
------- Comment #7 from ddkilzer at webkit.org 2007-01-04 06:55 PDT -------
(In reply to comment #6)
> Tracing through WebKit while loading hreftrack.html, I found that
> [WebPluginController webPlugInContainerLoadRequest:inFrame:] in
> WebKit/Plugins/WebPluginController.mm appears to be the weak link (where the
> JavaScript from the QuickTime movie on another site is implicitly trusted and
> run in the current frame's context).
Unfortunately, I'm not sure if it's possible for WebKit to "know" where the
plug-in content came from since the QuickTime plugin is responsible for loading
the content. As Landon notes in his MOAB #3 blog entry, he had to patch
QuickTime plug-in's nNPN_GetURL() method to do the check.
http://landonf.bikemonkey.org/code/macosx/MOAB_Day_3.20070104063131.4037.zadder.local.html
Of course any plug-in could do the same thing--pull JavaScript from anywhere
and pass it to WebKit to execute in the local context.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list