[Webkit-unassigned] [Bug 186593] User gesture context is not passed via MessageChannel
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 21 04:15:28 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=186593
Frédéric Wang (:fredw) <fred.wang at free.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #342918|0 |1
is obsolete| |
--- Comment #11 from Frédéric Wang (:fredw) <fred.wang at free.fr> ---
Created attachment 343234
--> https://bugs.webkit.org/attachment.cgi?id=343234&action=review
Patch (more restricted version)
This is a new version that is much stricter about how user gesture context is passed by postMessage. Basically, now:
- DOMWindow::postMessage always passes the user gesture context (that's already the case now)
- MessagePort::postMessage passes the user gesture context as long as it is not used in a worker context (currently, it never passes the user gesture context hence Dima's use case fails).
- Worker::postMessage will never pass the user gesture context (that's already the case now).
I have not tested it extensively yet, but at least it makes Dima's use case http://output.jsbin.com/cidetu work.
@Brady Eidson: Do you think this would be an acceptable change from a security point of view?
@Dima: Do you think that would address your use cases?
If that sounds good, I'll try writing tests and prepare a patch for formal review.
Maybe relaxing the conditions for postMessage can be done in follow-up patches, if that's what we want.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180621/001cb2e3/attachment.html>
More information about the webkit-unassigned
mailing list