[Webkit-unassigned] [Bug 51674] [Qt] LocalContentCanAccessRemoteUrls creates cross frame scripting vulnerability

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 29 22:15:02 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=51674


Pushparajan V <pushparajan.vijayakumar at nokia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|LocalContentCanAccessRemote |[Qt]
                   |Urls creates cross frame    |LocalContentCanAccessRemote
                   |scripting vulnerability     |Urls creates cross frame
                   |                            |scripting vulnerability
           Keywords|                            |Qt
           Severity|Major                       |Normal
           Priority|P2                          |P3
          Component|WebKit Qt                   |New Bugs
                 CC|                            |pushparajan.vijayakumar at nok
                   |                            |ia.com




--- Comment #4 from Pushparajan V <pushparajan.vijayakumar at nokia.com>  2010-12-29 22:15:02 PST ---
(In reply to comment #3)

> I think that's a question of how far back in history you go.  Certainly local URLs had universal access in WebKit before the addOriginAccessWhitelistEntry API existed.

I can think of DumpRenderTree Qt implementation for this. Previously it used, qt_drt_whiteListAccessFromOrigin for XHR to be whitelisted for local content. Now, it uses LocalContentCanAccessRemoteURLs. But for tools like this, this option should be fine.

> It is.  Note that this setting is pretty insecure because once local content starts interacting with remote URLs, it's very likely to leak its privileges to those URLs.  We can add another setting for LocalContentCanRequestRemoteURLs to enable XHR access only, if you like, which is a bit safer but also problematic on systems, such as laptops, that let users store remote content in the local filesystem.

Its better if we have QWebSetting named LocalContentCanRequestRemoteURLs. It is also possible now to use qt_drt_whiteListAccessFromOrigin API to whitelist the URLs suitable for remote request. But if there is a Setting for this, then this can be widely used for any local content which just need to request remote URLs. This option can also stress on the property that no privileges are leaked to any external URLs.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list