[Webkit-unassigned] [Bug 37392] Run the SVG <img> rendering context in a unique origin as a defense in depth measure
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Apr 10 17:25:20 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=37392
--- Comment #4 from Chris Evans <scarybeasts at gmail.com> 2010-04-10 17:25:20 PST ---
The only way I can see for the sandbox flags on the FrameLoader to get
overridden is if a parent HTMLFrameElement changes state. This will never
happen to our temporary SVG loader, which has an SVG document at the root :)
I like doing this on the FrameLoader because any other origins created from it
will also inherit the same sandboxing state. For example, an SVG could contain
an html:iframe element[*]. If we do a one-off patch up on the SecurityOrigin, I
worry that a complicated & clever SVG could bypass it.
[*] - this is pretty ugly in the <img> context. I may be changing things here,
but for now we should assume these uglies exist.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list