[Webkit-unassigned] [Bug 51674] LocalContentCanAccessRemoteUrls creates cross frame scripting vulnerability
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 29 21:02:48 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51674
--- Comment #3 from Adam Barth <abarth at webkit.org> 2010-12-29 21:02:48 PST ---
> Not sure. May be its a documentation problem. But LocalContentCanAccessRemoteUrls blindly grants universalAccess for the page where its enabled which in turn allows parent to child javascript calls to execute.
That's correct.
> Previously, XHR was allowed using, SecurityOrigin::addOriginAccessWhitelistEntry API. The XHR security check is done only for the requests using SecurityOrigin::canRequest API inside webkit.
I think that's a question of how far back in history you go. Certainly local URLs had universal access in WebKit before the addOriginAccessWhitelistEntry API existed.
> But now, with LocalContentCanAccessRemoteUrls, the SecurityOrigin::canAccess API is used which always returns true in the context of the page where its enabled.
Correct.
> Is this an expected behavior from LocalContentCanAccessRemoteURLs?
It is. Note that this setting is pretty insecure because once local content starts interacting with remote URLs, it's very likely to leak its privileges to those URLs. We can add another setting for LocalContentCanRequestRemoteURLs to enable XHR access only, if you like, which is a bit safer but also problematic on systems, such as laptops, that let users store remote content in the local filesystem.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list