[Webkit-unassigned] [Bug 74706] New: [Qt] QtWebKit disregards LocalContentCanAccessFileUrls setting

Fri Dec 16 03:37:46 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=74706

           Summary: [Qt] QtWebKit disregards LocalContentCanAccessFileUrls
                    setting
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: Qt, Regression
          Severity: Major
          Priority: P2
         Component: WebKit Qt
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: bruno.de_oliveira at basyskom.de

QtWebKit's default local load policy is WebCore::SecurityOrigin::AllowLocalLoadsForLocalAndSubstituteData. This policy automagically allows local content to load more local content, including local files. The problem now lies with WebCore::Settings::allowFileAccessFromFileURLs(), which gets ignored when local load policy allows substitute data to do so. What it means is that even if the developer sets this setting to false, local files are still accessible, which raises a security issue.

The issue was found while doing tests on QtWebKit 2.2. On QtWebKit 2.1 this behavior is not present, thus it started with patch d287567e486ad3902fe6d79bcbad42f64f536bc5 . Trunk was tested as well and the issue is still present.

PMO Bug 292822.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.