<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:cgarcia@igalia.com" title="Carlos Garcia Campos <cgarcia@igalia.com>"> <span class="fn">Carlos Garcia Campos</span></a>
</span> changed
<a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - [GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18"
href="https://bugs.webkit.org/show_bug.cgi?id=156651">bug 156651</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Attachment #276594 Flags</td>
<td>commit-queue?
</td>
<td>commit-queue-
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - [GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18"
href="https://bugs.webkit.org/show_bug.cgi?id=156651#c26">Comment # 26</a>
on <a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - [GTK] Expose AllowUniversalAccessFromFileURLs preference now that calling localStorage.getItem() results in SecurityError: DOM Exception 18"
href="https://bugs.webkit.org/show_bug.cgi?id=156651">bug 156651</a>
from <span class="vcard"><a class="email" href="mailto:cgarcia@igalia.com" title="Carlos Garcia Campos <cgarcia@igalia.com>"> <span class="fn">Carlos Garcia Campos</span></a>
</span></b>
<pre>Comment on <span class=""><a href="attachment.cgi?id=276594&action=diff" name="attach_276594" title="Patch">attachment 276594</a> <a href="attachment.cgi?id=276594&action=edit" title="Patch">[details]</a></span>
Patch
View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=276594&action=review">https://bugs.webkit.org/attachment.cgi?id=276594&action=review</a>
We have always tried to avoid exposing this setting, because it's considered dangerous. My main concern is that this looks like the easy solution to fix any cross-origin issue in web apps, but it's not necessarily the right one. But anyway, if we can't avoid exposing this, let's just do it, but not in a stable branch. We released 2.12.0 with a behavior and we should stay with it. So, I see two possibilities here:
1.- Patch WebKit in 2.12 branch only to allow access to local storage from file URLs when AllowFileAccessFromFileURLS is set.
2.- Roll out the patch that introduced the issue. It doesn't look like a so serious issue in the end, and it has always been that way.
Then expose this setting in trunk for 2.14.
<span class="quote">> Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp:1257
> + * should be allowed to access content from any origin. By default, when</span >
Extra space between origin. and By default.
<span class="quote">> Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp:1261
> + * it would be possible to use local storage, for example.</span >
I think we should explain here the differences between allow-file-access and allow-universal-access, to make sure people who actually need allow-file-access don't use this setting. We should probably warn that this could be dangerous.
<span class="quote">> Source/WebKit2/UIProcess/API/gtk/WebKitSettings.cpp:1263
> + * Since: 2.12.2</span >
I don't think we should add new API to 2.12 branch, applications shouldn't need any change to properly work between 2.12 and 2.12.x</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>