[Webkit-unassigned] [Bug 156651] [GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Apr 18 00:09:28 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=156651

Carlos Garcia Campos <cgarcia at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #276594|commit-queue?               |commit-queue-
              Flags|                            |

--- Comment #26 from Carlos Garcia Campos <cgarcia at igalia.com> ---
Comment on attachment 276594
  --> https://bugs.webkit.org/attachment.cgi?id=276594
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=276594&action=review

We have always tried to avoid exposing this setting, because it's considered dangerous. My main concern is that this looks like the easy solution to fix any cross-origin issue in web apps, but it's not necessarily the right one. But anyway, if we can't avoid exposing this, let's just do it, but not in a stable branch. We released 2.12.0 with a behavior and we should stay with it. So, I see two possibilities here:

1.- Patch WebKit in 2.12 branch only to allow access to local storage from file URLs when AllowFileAccessFromFileURLS is set.
2.- Roll out the patch that introduced the issue. It doesn't look like a so serious issue in the end, and it has always been that way.

Then expose this setting in trunk for 2.14.

> Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp:1257
> +     * should be allowed to access content from any origin.  By default, when

Extra space between origin. and By default.

> Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp:1261
> +     * it would be possible to use local storage, for example.

I think we should explain here the differences between allow-file-access and allow-universal-access, to make sure people who actually need allow-file-access don't use this setting. We should probably warn that this could be dangerous.

> Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp:1263
> +     * Since: 2.12.2

I don't think we should add new API to 2.12 branch, applications shouldn't need any change to properly work between 2.12 and 2.12.x

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160418/82009dcd/attachment.html>

More information about the webkit-unassigned mailing list