[webkit-dev] Security advice for linux browsers based on WebKit
If you don't use WebKit to build a browser on Linux, you can ignore this message. By default, WebKit allows local HTML files to inject script into any web page. That means that if you open a local HTML file on your machine, it can effective XSS every web site, including the user's bank or webmail provider. To protect against this threat, we have the following setting Settings::setAllowUniversalAccessFromFileURLs which disables this behavior. For legacy reasons, we default this setting to "true," but I'd like to encourage to use the "false" setting by default in your browser, especially if your browser runs on Linux. This issue is particularly important on Linux because many Linux users use a network file system, such as AFS or NFS, which maps the entire world into the local file system. For example, if I made my home directly world-readable, it's quite likely that I would be able to control this URL on your user's machines: file:///afs/cs.stanford.edu/u/abarth If you don't override WebKit's default setting, I might be able to leverage this ability to read your user's email or transact on your user's bank accounts. Of course, even with the "false" setting, I might still be able to read the contents of your user's /etc/passwd file or other sensitive information in your user's file system. Over time, I hope we can further restrict the privileges granted to file URLs. However, removing universal access is a necessary first step. Please let me know if you have any questions. Adam ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
Re: [webkit-dev] LayoutTest results choose from which folder?
On Aug 22, 2009, at 10:33 AM, Chris Fleizach wrote: I just committed http://trac.webkit.org/changeset/47675 which affects LayoutTest/accessibility/aria-roles.html The result is different on SnowLeopard than it is on Tiger/Leopard To account for this difference, I have an -expected file in platform/ mac-snowleopard where the line is < This test PASSES in DumpRenderTree. The role is AXRole: AXList There is an existing file in platform/mac/ where the line is > This test PASSES in DumpRenderTree. The role is AXRole: AXGroup --- Now after committing, Tiger/Leopard are complaining and saying http://build.webkit.org/results/Tiger%20Intel%20Release/r47675%20(3758)/accessibility/aria-roles-pretty-diff.html that it is expecting my the expected file from mac-snowleopard instead of platform/mac My question is, why does Tiger/Leopard expect the file in the mac- snowleopard folder http://build.webkit.org/results/Tiger%20Intel%20Release/r47675%20(3758)/accessibility/aria-roles-expected.txt Hi Chris, In layout test results, we make the latest Mac OS X version the rule, and earlier versions the exception. Tiger will look for results in mac- tiger first, then in mac-leopard, then in mac-snowleopard, then in mac, then finally in cross-platform results. Leopard will begin the search in mac-leopard, continue to mac-snowleopard, then mac, the cross-platform. As you can see, there are no expected results in mac-snowleopard (other than the ones you just added), because it’s the latest Mac OS X version. We will only start putting expected results in mac- snowleopard when the “latest” version (for which we put results in mac) will be something different. You should put the expected results for Snow Leopard in platform/mac (or, if they are cross-platform, alongside the test), and you should put the results for Leopard and earlier in platform/mac-leopard. —Dan___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
[webkit-dev] LayoutTest results choose from which folder?
I just committed http://trac.webkit.org/changeset/47675 which affects LayoutTest/accessibility/aria-roles.html The result is different on SnowLeopard than it is on Tiger/Leopard To account for this difference, I have an -expected file in platform/ mac-snowleopard where the line is < This test PASSES in DumpRenderTree. The role is AXRole: AXList There is an existing file in platform/mac/ where the line is > This test PASSES in DumpRenderTree. The role is AXRole: AXGroup --- Now after committing, Tiger/Leopard are complaining and saying http://build.webkit.org/results/Tiger%20Intel%20Release/r47675%20(3758)/accessibility/aria-roles-pretty-diff.html that it is expecting my the expected file from mac-snowleopard instead of platform/mac My question is, why does Tiger/Leopard expect the file in the mac- snowleopard folder http://build.webkit.org/results/Tiger%20Intel%20Release/r47675%20(3758)/accessibility/aria-roles-expected.txt ___ webkit-dev mailing list webkit-dev@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev