While researching the BEAST exploit I did some tests and found out that webkit is susceptible to one of the preconditions of the exploit. Namely the downloading and executing scripts and content outside of the https session.
Now we can argue the likelihood of the BEAST exploit in webkit but that isn't my point at all (I personally think it is exceedingly unlikely). The browser that I wrote uses whitelists to determine what domains are allowed to run javascript. By default webkit allows running of cross domain scripts so when I whitelist a domain a site currently can and will download scripts from another domain I might not trust. I did a proof of concept with the following web page: https://www.cyphertite.com/beasttest.html It downloads a picture and resizes it when JS is enabled even though I don't trust the domain where the picture and JS originated. Speaking as a proof of concept of course ;-) I rigged webkit to set m_allowRunningOfInsecureContent and m_allowDisplayOfInsecureContent to false and the results were exactly what I was expecting and looking for. So I went ahead and started writing a patch to expose those settings and as I was doing that I ran across this bug report and patch: https://bugs.webkit.org/show_bug.cgi?id=58378 It exposes the settings on all platforms, perfect ;-) I would even argue that these settings should be disabled by default because I can only come up with 3 reasons to enable it and all of them are nefarious. So allowing browser authors to make this decision for themselves is therefore the best next thing IMO. Thanks for considering this. _______________________________________________ webkit-gtk mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-gtk
