[Webkit-unassigned] [Bug 38424] add support for text/html-sandboxed on sandboxed iframes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 19 10:35:47 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=38424
--- Comment #8 from eduardo <evn at google.com> 2010-08-19 10:35:47 PST ---
(In reply to comment #6)
> (In reply to comment #4)
> > One more thing I am not sure if it's even possible. Could it be possible that if a plugin requests a document with text/html-sandboxed to return access denied?
>
> If I understand your question right, you're referring to HTTP requests in a plugin's native code. There is no way for WebKit to affect these. (That is because a plugin can do what it pleases -- which is either a bug or a feature, depending on your point of view.)
>
> So, no, unfortunately.
No, I dont mean that
For example, let's say that:
http://webkit.com/sandboxed.php?id=1111
serves a SWF file, then an attacker could do
<embed src="http://webkit.com/sandboxed.php?id=1111">
And it would load the SWF file and execute on webkit.com's domain.
If for applets, objects and embeds we change its behavior, so that if the request actually returns a text/html-sandboxed content-type it is not loaded/returned, then it would solve this problem:
http://lists.w3.org/Archives/Public/public-web-security/2010May/0000.html
So, to clear the idea:
If the request is made as a result of an EMBED, OBJECT or APPLET element, then the resource will trigger a security exception.
Greetings!!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list