[Webkit-unassigned] [Bug 51674] LocalContentCanAccessRemoteUrls creates cross frame scripting vulnerability
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Dec 28 21:42:53 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51674
--- Comment #2 from Pushparajan V <pushparajan.vijayakumar at nokia.com> 2010-12-28 21:42:53 PST ---
(In reply to comment #1)
> > As per the documentation, LocalContentCanAccessRemoteUrls should only enable XHR for remote URL.
>
> Maybe a documentation mistake?
Not sure. May be its a documentation problem. But LocalContentCanAccessRemoteUrls blindly grants universalAccess for the page where its enabled which in turn allows parent to child javascript calls to execute.
Previously, XHR was allowed using, SecurityOrigin::addOriginAccessWhitelistEntry API. The XHR security check is done only for the requests using SecurityOrigin::canRequest API inside webkit.
But now, with LocalContentCanAccessRemoteUrls, the SecurityOrigin::canAccess API is used which always returns true in the context of the page where its enabled.
Is this an expected behavior from LocalContentCanAccessRemoteURLs?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list