http://gwt-code-reviews.appspot.com/1380806/diff/25001/user/src/com/google/gwt/safehtml/shared/UriUtils.java File user/src/com/google/gwt/safehtml/shared/UriUtils.java (right):
http://gwt-code-reviews.appspot.com/1380806/diff/25001/user/src/com/google/gwt/safehtml/shared/UriUtils.java#newcode172 user/src/com/google/gwt/safehtml/shared/UriUtils.java:172: public static SafeUri fromTrustedString(String s) { On 2011/04/27 17:18:58, xtof wrote:
I think it's a bit more complicated than that. In particular, it
matters where
the value came from. For example, we need to consider data: URIs as
inherently
dangerous. _however_ a data: URI that's fully program controlled
(e.g., a
resource) is considered inherently safe.
I.e. the provenance of the value matters more than what the actual
value looks
like.
Which is also why the SafeUri contract (as well as the SafeHtml) has
this vague
language about "safe from cross site scripting". In principle, the
contract
could actually be written to state that evaluating the URI must not
result in
execution of script, unless the script is fully under program control.
I wonder if we should make that change; for instance one might create
a SafeUri
object for 'javascript:void(0);'. Which does execute script, but is
harmless
because the script is fully program controlled. Which means it's not
"cross
site" scripting.
I wonder if we should specify this in the SafeUri contract at this
level of
detail?
Hmm. We could start by saying in the SafeUri contract what you just said: provenance matters and SafeUri could contain any type of URL provided that it's hard-coded by the app. For untrusted strings, we can refer people to EscapeUtils.isSafeUri, which has a list of safe URL schemes. From a reviewer's standpoint, I believe that if some code implementing the SafeUri interface only constructs URL's for the schemes listed in isSafeUri() then I know it's okay, and if not, I'd better get a real security review from someone who knows web security better. http://gwt-code-reviews.appspot.com/1380806/ -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
