[Webkit-unassigned] [Bug 113345] New: View-source iframes are dangerous (and not very useful).
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 26 14:44:49 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=113345
Summary: View-source iframes are dangerous (and not very
useful).
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: ASSIGNED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: tsepez at chromium.org
CC: abarth at webkit.org, jschuh at chromium.org,
cevans at google.com
Upstreamed from https://code.google.com/p/chromium/issues/detail?id=196636.
Memorable comments from that bug:
Collin: "View-source iframes seem dangerous in general; create a "captcha" that steals CSRF tokens, for example."
Justin: "We specifically disallow navigation to view-source URLs because we consider them unsafe. So allowing them via an iframe attribute is just a short trip to crazytown, population Chrome."
Adam: "It's non-standard and not supported by other browsers, AFAIK."
Platforms should have the option of excluding them, if they so desire.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list