[Webkit-unassigned] [Bug 38424] add support for text/html-sandboxed on sandboxed iframes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 19 10:35:47 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=38424





--- Comment #8 from eduardo <evn at google.com>  2010-08-19 10:35:47 PST ---
(In reply to comment #6)
> (In reply to comment #4)
> > One more thing I am not sure if it's even possible. Could it be possible that if a plugin requests a document with text/html-sandboxed to return access denied?
> 
> If I understand your question right, you're referring to HTTP requests in a plugin's native code. There is no way for WebKit to affect these. (That is because a plugin can do what it pleases -- which is either a bug or a feature, depending on your point of view.)
> 
> So, no, unfortunately.

No, I dont mean that

For example, let's say that:
http://webkit.com/sandboxed.php?id=1111

serves a SWF file, then an attacker could do

<embed src="http://webkit.com/sandboxed.php?id=1111">

And it would load the SWF file and execute on webkit.com's domain.

If for applets, objects and embeds we change its behavior, so that if the request actually returns a text/html-sandboxed content-type it is not loaded/returned, then it would solve this problem:

http://lists.w3.org/Archives/Public/public-web-security/2010May/0000.html

So, to clear the idea:

If the request is made as a result of an EMBED, OBJECT or APPLET element, then the resource will trigger a security exception.

Greetings!!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list