[Webkit-unassigned] [Bug 181460] REGRESSION(r225650): The scores of MotionMark tests Multiply and Leaves dropped by 8%

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 11 15:01:49 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=181460

--- Comment #16 from Alexey Proskuryakov <ap at webkit.org> ---
The new security check is different form the old one. Base URL can be anything, as the page author can specify any base with the <base> element. It's not the same URL that the security context is created from.

The sheetBaseURL argument seems like a misnomer. Chris and I looked at one caller, and it was actually passing final stylesheet URL there (the one after redirects). So that's controllable by the attacker, who can start with their own server, and redirect to the victim.

It does seem likely that documents with unique origins also get extra powers with this change.

But I can't follow CSS code enough to tell what the observable effect is. Given that we started with a security check, it probably is a security regression of some sort.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180111/ad239cdb/attachment.html>


More information about the webkit-unassigned mailing list