[Webkit-unassigned] [Bug 34296] Provide a way for WebKit clients to specify a more granular policy for cross-origin frame access

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 18 16:33:38 PST 2010


https://bugs.webkit.org/show_bug.cgi?id=34296





--- Comment #4 from Mike Thole <mthole at mikethole.com>  2010-02-18 16:33:37 PST ---
Currently, a WebKit client that wants to allow cross-origin frame access can do
so using WebView's registerURLSchemeAsLocal:, assuming that the
allowUniversalAccessFromFileURLs() setting enabled.

What I'm trying to do is allow cross-origin frame access without also treating
the custom URL protocol as a local protocol.  The asymmetric access
vulnerabilities mentioned in the linked paper are valid reasons for caution,
but they can be prevented with careful programming.  WebKit clients should be
able to choose to allow cross-frame access without going crazy and giving the
URL protocol local access.

The white list functionality added for 24853 seemed ideal for this purpose. 
Maybe that API could be modified or added to, such that a WebKit client could
explicitly opt-in to cross-origin frame access?  One simple solution would be
to add an additional parameter to whiteListAccessFromOrigin() that specified
what type of access was whitelisted (just XHR or frame access).

Do you have any suggestions on how this could best be accomplished?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list