[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
eric at webkit.org
eric at webkit.org
Thu Oct 29 20:44:51 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 0a55a85c818239477d93a9562874b71818017cda
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Oct 15 02:14:25 2009 +0000
2009-10-14 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
[XSSAuditor] Add an exception for local files
https://bugs.webkit.org/show_bug.cgi?id=30352
Test that we allow sites to load scripts from their own domain as long
as they don't use query strings.
* http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html: Added.
* http/tests/security/xssAuditor/script-tag-with-source-same-host.html: Added.
2009-10-14 Adam Barth <abarth at webkit.org>
Reviewed by Darin Adler.
[XSSAuditor] Add an exception for local files
https://bugs.webkit.org/show_bug.cgi?id=30352
Reduce XSS auditor false positives by always letting pages load scripts
from their own host. We don't actually know of any false positives
that this prevents, but it seems like a good idea.
One subtly is that we don't add this exception for scripts that have a
query string because (1) URLs with query strings are more apt to
confuse servers and (2) it is much less common to load scripts with a
query string.
Tests: http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
http/tests/security/xssAuditor/script-tag-with-source-same-host.html
* page/XSSAuditor.cpp:
(WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49605 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c4fe60e..22c36ce 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2009-10-14 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ [XSSAuditor] Add an exception for local files
+ https://bugs.webkit.org/show_bug.cgi?id=30352
+
+ Test that we allow sites to load scripts from their own domain as long
+ as they don't use query strings.
+
+ * http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-same-host.html: Added.
+
2009-10-14 Darin Adler <darin at apple.com>
Fix a failure seen on buildbot after landing the fix for
diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
new file mode 100644
index 0000000..e67cffb
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script src='xss.js?maybe+dangerous+query+string'></script>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host.html
new file mode 100644
index 0000000..36211ca
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script src='safe-script.js'></script>">
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 351a9a3..ece6d7a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2009-10-14 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ [XSSAuditor] Add an exception for local files
+ https://bugs.webkit.org/show_bug.cgi?id=30352
+
+ Reduce XSS auditor false positives by always letting pages load scripts
+ from their own host. We don't actually know of any false positives
+ that this prevents, but it seems like a good idea.
+
+ One subtly is that we don't add this exception for scripts that have a
+ query string because (1) URLs with query strings are more apt to
+ confuse servers and (2) it is much less common to load scripts with a
+ query string.
+
+ Tests: http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
+ http/tests/security/xssAuditor/script-tag-with-source-same-host.html
+
+ * page/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
+
2009-10-14 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by George Staikos.
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 3495077..890c3fa 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -144,6 +144,16 @@ bool XSSAuditor::canLoadExternalScriptFromSrc(const String& context, const Strin
if (!isEnabled())
return true;
+ // If the script is loaded from the same URL as the enclosing page, it's
+ // probably not an XSS attack, so we reduce false positives by allowing the
+ // script. If the script has a query string, we're more suspicious,
+ // however, because that's pretty rare and the attacker might be able to
+ // trick a server-side script into doing something dangerous with the query
+ // string.
+ KURL scriptURL(m_frame->document()->url(), url);
+ if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty())
+ return true;
+
if (findInRequest(context + url)) {
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list