[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75

eric at webkit.org eric at webkit.org
Thu Oct 29 20:44:51 UTC 2009 

The following commit has been merged in the webkit-1.1 branch:
commit 0a55a85c818239477d93a9562874b71818017cda
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Oct 15 02:14:25 2009 +0000

    2009-10-14  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Darin Adler.
    
            [XSSAuditor] Add an exception for local files
            https://bugs.webkit.org/show_bug.cgi?id=30352
    
            Test that we allow sites to load scripts from their own domain as long
            as they don't use query strings.
    
            * http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt: Added.
            * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt: Added.
            * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html: Added.
            * http/tests/security/xssAuditor/script-tag-with-source-same-host.html: Added.
    2009-10-14  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Darin Adler.
    
            [XSSAuditor] Add an exception for local files
            https://bugs.webkit.org/show_bug.cgi?id=30352
    
            Reduce XSS auditor false positives by always letting pages load scripts
            from their own host. We don't actually know of any false positives
            that this prevents, but it seems like a good idea.
    
            One subtly is that we don't add this exception for scripts that have a
            query string because (1) URLs with query strings are more apt to
            confuse servers and (2) it is much less common to load scripts with a
            query string.
    
            Tests: http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
                   http/tests/security/xssAuditor/script-tag-with-source-same-host.html
    
            * page/XSSAuditor.cpp:
            (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49605 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c4fe60e..22c36ce 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2009-10-14  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Darin Adler.
+
+        [XSSAuditor] Add an exception for local files
+        https://bugs.webkit.org/show_bug.cgi?id=30352
+
+        Test that we allow sites to load scripts from their own domain as long
+        as they don't use query strings.
+
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-same-host.html: Added.
+
 2009-10-14  Darin Adler  <darin at apple.com>
 
         Fix a failure seen on buildbot after landing the fix for
diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
new file mode 100644
index 0000000..e67cffb
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script src='xss.js?maybe+dangerous+query+string'></script>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host.html
new file mode 100644
index 0000000..36211ca
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-same-host.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script src='safe-script.js'></script>">
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 351a9a3..ece6d7a 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2009-10-14  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Darin Adler.
+
+        [XSSAuditor] Add an exception for local files
+        https://bugs.webkit.org/show_bug.cgi?id=30352
+
+        Reduce XSS auditor false positives by always letting pages load scripts
+        from their own host. We don't actually know of any false positives
+        that this prevents, but it seems like a good idea.
+
+        One subtly is that we don't add this exception for scripts that have a
+        query string because (1) URLs with query strings are more apt to
+        confuse servers and (2) it is much less common to load scripts with a
+        query string.
+
+        Tests: http/tests/security/xssAuditor/script-tag-with-source-same-host-with-query.html
+               http/tests/security/xssAuditor/script-tag-with-source-same-host.html
+
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
+
 2009-10-14  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Reviewed by George Staikos.
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 3495077..890c3fa 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -144,6 +144,16 @@ bool XSSAuditor::canLoadExternalScriptFromSrc(const String& context, const Strin
     if (!isEnabled())
         return true;
 
+    // If the script is loaded from the same URL as the enclosing page, it's
+    // probably not an XSS attack, so we reduce false positives by allowing the
+    // script. If the script has a query string, we're more suspicious,
+    // however, because that's pretty rare and the attacker might be able to
+    // trick a server-side script into doing something dangerous with the query
+    // string.
+    KURL scriptURL(m_frame->document()->url(), url);
+    if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty())
+        return true;
+
     if (findInRequest(context + url)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list