[Webkit-unassigned] [Bug 37392] Run the SVG <img> rendering context in a unique origin as a defense in depth measure

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 10 17:25:20 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=37392





--- Comment #4 from Chris Evans <scarybeasts at gmail.com>  2010-04-10 17:25:20 PST ---
The only way I can see for the sandbox flags on the FrameLoader to get
overridden is if a parent HTMLFrameElement changes state. This will never
happen to our temporary SVG loader, which has an SVG document at the root :)

I like doing this on the FrameLoader because any other origins created from it
will also inherit the same sandboxing state. For example, an SVG could contain
an html:iframe element[*]. If we do a one-off patch up on the SecurityOrigin, I
worry that a complicated & clever SVG could bypass it.

[*] - this is pretty ugly in the <img> context. I may be changing things here,
but for now we should assume these uglies exist.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list