[Webkit-unassigned] [Bug 27239] Do not do HTTP Refresh to javascript: or other dangerous URI schemes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 10 12:14:46 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=27239
--- Comment #9 from Chris Evans <scarybeasts at gmail.com> 2009-08-10 12:14:45 PDT ---
@adam: at this time, I am pretty buried auditing some of the new features for
the next version of Chrome. If you wanted this addressed sooner, I'd gladly
accept the offer of help.
Re: comment #8, I agree with sbjesse. This is not the proper fix for the
view-source: Refresh interaction; even with this restriction in place, someone
could simply Refresh: 0;http://www.evil.com/ which still hijacks
window.location (which could then execute script, as per the original complaint
that it should not be possible for a view-source: URL to render active
content).
This fix still has individual merit, however. Looks like Firefox just made this
change as a defense-in-depth measure for web apps, such that careless
construction of Refresh: headers cannot lead to XSS.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list