[Webkit-unassigned] [Bug 51674] [Qt] LocalContentCanAccessRemoteUrls creates cross frame scripting vulnerability

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 3 06:37:22 PST 2011


Pushparajan V <pushparajan.vijayakumar at nokia.com> changed:

           What    |Removed                     |Added
                 CC|                            |laszlo.1.gombos at nokia.com

--- Comment #6 from Pushparajan V <pushparajan.vijayakumar at nokia.com>  2011-01-03 06:37:21 PST ---
(In reply to comment #5)
> I agree with Adam, this is the intended behavior for this property.
> It is very useful to do Hybrid development, in which you really want to break the security based on origin.
> I agree with Alexey, the doc should be updated.
> Pushparajan, could you update the doc?

Its not just a documentation issue. If you read my comment, the property gives universalAccess to the securityOrigin on which its set. It creates security problems when used in applications which needs only XHR. 

Rather than updating the documents, I feel its better to add a new setting named LocalContentCanRequestRemoteURLs to avoid confusion. I have cooked up a patch for it. But it touches critical code in webkit. So, we need to discuss about the necessity of this setting in detail.

Whitelisting is a better option which can be used instead of such a setting. But it creates unnecessary security origins for each every origin and destination URLs. So, such a setting for the page will be really helpful and less confusing.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list