[Webkit-unassigned] [Bug 248390] New: [GTK] <svg><use> URIs not passed through WebKitWebPage::send-request

Mon Nov 28 04:46:28 PST 2022

https://bugs.webkit.org/show_bug.cgi?id=248390

            Bug ID: 248390
           Summary: [GTK] <svg><use> URIs not passed through
                    WebKitWebPage::send-request
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcrha at redhat.com
                CC: bugs-noreply at webkitgtk.org

When there's an HTML code snippet like this one:

   <svg width='16' height='16'>
      <use xlink:href='https://thisweek.gnome.org/images/icons.svg#link'></use>
   </svg>

the WebKitGTK ignores the WebKitWebPage::send-request callback on the extension side and immediately claims:

   mail://xxx/yyy/xzz?....:55:145: CONSOLE SECURITY ERROR Unsafe attempt to load URL https://thisweek.gnome.org/images/icons.svg from
   origin mail://xxx. Domains, protocols and ports must match.

The URL from the `use` tag should be processed by the WebKitWebPage::send-request first, as is done for other URL-s, like for example with the <img src=...>.

This can be a security problem for use cases where the WebKitWebPage::send-request callback is supposed to filter what should be processed in what way (like manual download, which does not involve WebKitGTK internals).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221128/87715369/attachment.htm>