[Webkit-unassigned] [Bug 90618] Add folder access policy to allow local access to same folder and child folders
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 10 08:37:12 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=90618
--- Comment #9 from Adam Barth <abarth at webkit.org> 2012-07-10 08:37:11 PST ---
> 1) This patch doesn't change the behavior of symmetric methods like equal() and isSameSchemeHostPort().
Right, but it encourages people to use canAccess in an asymmetric way, which doesn't work the way you'd expect.
> 2) The security model DOES support asymmetric access.
No, it doesn't. If A canAccess B, then B can hack A, which means that the relation isn't actually asymmetric.
> 2.1) when a security origin has universal access, it can access those security origins that doesn't have universal access. For example, it can be configured to give file URL universal access and block HTTP URL from accessing file URL.
Universal access is very insecure and should never be used. I would remove it from WebKit if I could.
> 2.2) Whitelist isn't symmetric. A security origin may be able to access another because the target is in its whitelist. It is asymmetric.
That's different because canRequest deals only with passive objects, like HTTP responses, not active objects like frames.
> Can you think again?
We've had this discussion many times over the years. The current policy isn't great, but it works ok. Folk shouldn't be using file URLs anyway. Their security model is completely broken.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list