Chromium Embedded Framework Forum

Forum for support and discussion of the Chromium Embedded Framework (CEF)
Visit the CEF Project Site to download CEF and report issues.

Skip to content

Script security issues when using a custom scheme handler

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.
Forum rules
Post a reply

Script security issues when using a custom scheme handler

Postby ayoung24 » Fri May 14, 2010 11:09 am

I'm using a custom scheme handler which dynamically generates CSS files ("live-css://").

When the page finishes loading, I use javascript to replace the HREF of each LINK tag with a "live-css://url".

The browser loads the dynamic CSS files fine. The problem is, even after the files are finished loading, the "cssRules" property of "document.styleSheets[0]" is forever null. (I have the same problem when attempting to access style sheets which are sourced from a different domain from the page).

Is there any way to work around this?
ayoung24
Techie
 
Posts: 13
Joined: Sat Oct 17, 2009 6:26 pm
Top

Re: Script security issues when using a custom scheme handler

Postby magreenblatt » Thu May 20, 2010 9:22 am

You'll probably need to start by identifying where document.styleSheets is populated in the source code (somewhere in third_party\WebKit\WebCore\dom\Document.cpp maybe?) and work backwards from there. Sorry I can't be more helpful :-(.

Regards,
Marshall
magreenblatt
Site Admin
 
Posts: 12406
Joined: Fri May 29, 2009 6:57 pm
Top

Re: Script security issues when using a custom scheme handler

Postby ayoung24 » Thu May 20, 2010 9:58 am

I'm wondering if it has something to do with V8's "same origin policy". Other folks have reported a similar problem when trying to access offsite CSS files via jQuery. However, we are operating at a lower level than pure javascript, it seems that there should be some way around the problem.

There is a SetAccessCheckCallbacks() V8 method which allows you to allow or disallow access to specific objects, and also a SetSecurityToken() method which would allow you (I'm guessing) to specify the origin of a script. However, I don't even know what context the script in CEF is running in to begin with, so I'm not sure where to start.
ayoung24
Techie
 
Posts: 13
Joined: Sat Oct 17, 2009 6:26 pm
Top

Re: Script security issues when using a custom scheme handler

Postby ayoung24 » Fri May 21, 2010 10:01 am

I've found a workaround for the problem. It seems there is a "grantUniversalAccess()" method in WebFrame which basically enables cross-site scripting for that frame (until a new document is loaded). I've exposed it in CefFrame and it works a treat.

What I'd also like is a RevokeUniversalAccess() method as well, which looks like it would be easy enough to implement, but would require upstream changes (all the way back to WebCore).

I've attached a patch which adds a GrantUniversalAccess() method to CefFrame, perhaps you could consider it for a future revision.
Attachments
GrantUniversalAccess.zip
(1.41 KiB) Downloaded 741 times
ayoung24
Techie
 
Posts: 13
Joined: Sat Oct 17, 2009 6:26 pm
Top

Re: Script security issues when using a custom scheme handler

Postby magreenblatt » Fri May 21, 2010 10:12 am

Sounds reasonable. Please create an entry for this on the CEF issue tracker so it doesn't get lost.
magreenblatt
Site Admin
 
Posts: 12406
Joined: Fri May 29, 2009 6:57 pm
Top

Re: Script security issues when using a custom scheme handler

Postby ayoung24 » Fri May 21, 2010 10:31 am

Issue 87: Expose GrantUniversalAccess() to enable cross-site scripting
http://code.google.com/p/chromiumembedded/issues/detail?id=87
ayoung24
Techie
 
Posts: 13
Joined: Sat Oct 17, 2009 6:26 pm
Top
Post a reply

Return to Support Forum

Who is online

Users browsing this forum: No registered users and 34 guests

Powered by phpBB® Forum Software © phpBB Group