[Webkit-unassigned] [Bug 34296] Provide a way for WebKit clients to specify a more granular policy for cross-origin frame access

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 19 18:43:05 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=34296


Maciej Stachowiak <mjs at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mjs at apple.com




--- Comment #5 from Maciej Stachowiak <mjs at apple.com>  2010-02-19 18:43:04 PST ---
(In reply to comment #4)
> Currently, a WebKit client that wants to allow cross-origin frame access can do
> so using WebView's registerURLSchemeAsLocal:, assuming that the
> allowUniversalAccessFromFileURLs() setting enabled.
> 
> What I'm trying to do is allow cross-origin frame access without also treating
> the custom URL protocol as a local protocol.  The asymmetric access
> vulnerabilities mentioned in the linked paper are valid reasons for caution,
> but they can be prevented with careful programming.  WebKit clients should be
> able to choose to allow cross-frame access without going crazy and giving the
> URL protocol local access.
> 
> The white list functionality added for 24853 seemed ideal for this purpose. 
> Maybe that API could be modified or added to, such that a WebKit client could
> explicitly opt-in to cross-origin frame access?  One simple solution would be
> to add an additional parameter to whiteListAccessFromOrigin() that specified
> what type of access was whitelisted (just XHR or frame access).
> 
> Do you have any suggestions on how this could best be accomplished?

I can see how clients may have valid use cases for an XHR-only whitelist, given
Adam's paper. I can also understand that there are valid use cases for giving
cross-frame scripting access without granting local access.

I think your idea of extending the whitelisting mechanism makes sense. That way
both sets of use cases can be satisfied.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list