[Webkit-unassigned] [Bug 38424] add support for text/html-sandboxed on sandboxed iframes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Sep 5 23:51:14 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=38424


Adam Barth <abarth at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #66200|review?, commit-queue?      |review-
               Flag|                            |




--- Comment #32 from Adam Barth <abarth at webkit.org>  2010-09-05 23:51:13 PST ---
(From update of attachment 66200)
View in context: https://bugs.webkit.org/attachment.cgi?id=66200&action=prettypatch

We definitely need some more tests.  For example, you should test the case where you load a document into a sandboxed frame, remove the sandbox attribute, and then try to load a text/html-sandboxed resource (and the reverse).  Those tests will show that we're getting the bit from the frame and not from the document (which freezes its bits).  Also, we should think about how to test for the absence of the gap mentioned below.

> WebCore/loader/DocumentLoader.cpp:284
> +            && !frameLoader->isSandboxed(SandboxOrigin)
I wonder slightly if this is the right time to ask the sandbox state.  We need to be sure the frame as the sandbox bit turned on at the instant the document freezes it's sandbox bits.  If there's a window of opportunity for JavaScript to change the frame's attribute, we could get in trouble, especially since that scenario can be triggered by an attacker.  How can we assure ourselves that there's no gap here?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list