[Webkit-unassigned] [Bug 142341] Fonts should be treated as active mixed content

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 5 13:00:35 PST 2015


https://bugs.webkit.org/show_bug.cgi?id=142341

--- Comment #2 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to comment #1)
> I think that the old definition of active content is what can run JS code in
> the context of the current page, thus enabling XSS for an active attacker
> who can can replace non-encrypted content. 
> 
> I'm not sure how to make sense of this proposed change. Is it really about
> protecting against arbitrary code execution attacks on https pages?

No, it's just about blocking all mixed content we can block without breaking the web, due to the intrinsic security issues of loading any mixed content (e.g. sending your cookies in the clear when loading the resource). What Microsoft/Google/Mozilla are doing is blocking everything they think they can get away with blocking without pissing off users (to be blunt); right now that's most everything besides images, videos, and form targets. Safari is the only major browser that doesn't block any mixed content right now, and WebKit the only engine that treats fonts as "passive" rather than "active." I'd rather match what the other players are doing.

The WIP standard proposal for this is http://w3c.github.io/webappsec/specs/mixedcontent/ -- it tries to avoid the passive/active terminology since nowadays we say passive/active to talk about content that is not blocked or blocked, rather than whether the content can script the page.

My only security worry specific to fonts would be the bytecode, but we recently disabled that on the GTK+ port, and the attacker would just feed you the malicious bad font over an HTTP connection instead, so it doesn't matter one bit. I guess with a bad font you could deface the HTTPS page, but that'd be way harder to do than with images/videos.

....Anyway, what we do with fonts is not very important compared to my other patches in bug #140625; I'd be interested to hear your thoughts on some of those....

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150305/e1c7996e/attachment-0002.html>


More information about the webkit-unassigned mailing list