[Webkit-unassigned] [Bug 12107] Security Regression: Plugins load remote javascript in embedded page's context

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 4 06:55:28 PST 2007


------- Comment #7 from ddkilzer at webkit.org  2007-01-04 06:55 PDT -------
(In reply to comment #6)
> Tracing through WebKit while loading hreftrack.html, I found that
> [WebPluginController webPlugInContainerLoadRequest:inFrame:] in
> WebKit/Plugins/WebPluginController.mm appears to be the weak link (where the
> JavaScript from the QuickTime movie on another site is implicitly trusted and
> run in the current frame's context).

Unfortunately, I'm not sure if it's possible for WebKit to "know" where the
plug-in content came from since the QuickTime plugin is responsible for loading
the content.  As Landon notes in his MOAB #3 blog entry, he had to patch
QuickTime plug-in's nNPN_GetURL() method to do the check.


Of course any plug-in could do the same thing--pull JavaScript from anywhere
and pass it to WebKit to execute in the local context.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list