[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
dbates at webkit.org
dbates at webkit.org
Wed Apr 7 23:25:58 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 5c0174ad0e8eded3360724af00f5ae4a0d257199
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Nov 9 01:18:08 2009 +0000
2009-11-08 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=31098
Allows same-origin plugin-based content to load.
Test: http/tests/security/xssAuditor/object-src-inject.html
* page/XSSAuditor.cpp:
(WebCore::XSSAuditor::canLoadExternalScriptFromSrc): Modified to call XSSAuditor::isSameOriginResource.
(WebCore::XSSAuditor::canLoadObject): Ditto.
(WebCore::XSSAuditor::canSetBaseElementURL): Ditto.
(WebCore::XSSAuditor::isSameOriginResource): Added.
* page/XSSAuditor.h:
2009-11-08 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=31098
Tests that the XSSAuditor prevents loading plugin-based content that is not
from the same-origin as the enclosing page.
* http/tests/security/xssAuditor/object-src-inject-expected.txt: Added.
* http/tests/security/xssAuditor/object-src-inject.html: Added.
* http/tests/security/xssAuditor/resources/echo-object-src.pl: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50631 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a325489..738bbb6 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-11-08 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=31098
+
+ Tests that the XSSAuditor prevents loading plugin-based content that is not
+ from the same-origin as the enclosing page.
+
+ * http/tests/security/xssAuditor/object-src-inject-expected.txt: Added.
+ * http/tests/security/xssAuditor/object-src-inject.html: Added.
+ * http/tests/security/xssAuditor/resources/echo-object-src.pl: Added.
+
2009-11-08 Shu Chang <Chang.Shu at nokia.com>
Reviewed by Holger Freyther.
diff --git a/LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt b/LayoutTests/http/tests/security/xssAuditor/object-src-inject-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/object-src-inject-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/object-src-inject.html b/LayoutTests/http/tests/security/xssAuditor/object-src-inject.html
new file mode 100644
index 0000000..769037a
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/object-src-inject.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-object-src.pl?q=http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-object-src.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-object-src.pl
new file mode 100755
index 0000000..6c98958
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-object-src.pl
@@ -0,0 +1,15 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<object name=\"plugin\" type=\"application/x-webkit-test-netscape\">\n";
+print "<param name=\"movie\" value=\"".$cgi->param('q')."\" />\n";
+print "</object>\n";
+print "</body>\n";
+print "</html>\n";
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 0c7654f..5da8631 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-11-08 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=31098
+
+ Allows same-origin plugin-based content to load.
+
+ Test: http/tests/security/xssAuditor/object-src-inject.html
+
+ * page/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): Modified to call XSSAuditor::isSameOriginResource.
+ (WebCore::XSSAuditor::canLoadObject): Ditto.
+ (WebCore::XSSAuditor::canSetBaseElementURL): Ditto.
+ (WebCore::XSSAuditor::isSameOriginResource): Added.
+ * page/XSSAuditor.h:
+
2009-11-08 David Levin <levin at chromium.org>
Unreviewed build fix for chromium.
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 890c3fa..28acad2 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -144,14 +144,7 @@ bool XSSAuditor::canLoadExternalScriptFromSrc(const String& context, const Strin
if (!isEnabled())
return true;
- // If the script is loaded from the same URL as the enclosing page, it's
- // probably not an XSS attack, so we reduce false positives by allowing the
- // script. If the script has a query string, we're more suspicious,
- // however, because that's pretty rare and the attacker might be able to
- // trick a server-side script into doing something dangerous with the query
- // string.
- KURL scriptURL(m_frame->document()->url(), url);
- if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty())
+ if (isSameOriginResource(url))
return true;
if (findInRequest(context + url)) {
@@ -167,6 +160,9 @@ bool XSSAuditor::canLoadObject(const String& url) const
if (!isEnabled())
return true;
+ if (isSameOriginResource(url))
+ return true;
+
if (findInRequest(url)) {
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -179,9 +175,11 @@ bool XSSAuditor::canSetBaseElementURL(const String& url) const
{
if (!isEnabled())
return true;
-
- KURL baseElementURL(m_frame->document()->url(), url);
- if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) {
+
+ if (isSameOriginResource(url))
+ return true;
+
+ if (findInRequest(url)) {
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
return false;
@@ -255,6 +253,18 @@ String XSSAuditor::decodeHTMLEntities(const String& string, bool leaveUndecodabl
return String::adopt(result);
}
+bool XSSAuditor::isSameOriginResource(const String& url) const
+{
+ // If the resource is loaded from the same URL as the enclosing page, it's
+ // probably not an XSS attack, so we reduce false positives by allowing the
+ // request. If the resource has a query string, we're more suspicious,
+ // however, because that's pretty rare and the attacker might be able to
+ // trick a server-side script into doing something dangerous with the query
+ // string.
+ KURL resourceURL(m_frame->document()->url(), url);
+ return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
+}
+
bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,
bool decodeURLEscapeSequencesTwice) const
{
diff --git a/WebCore/page/XSSAuditor.h b/WebCore/page/XSSAuditor.h
index adfa5c7..9cff790 100644
--- a/WebCore/page/XSSAuditor.h
+++ b/WebCore/page/XSSAuditor.h
@@ -122,6 +122,7 @@ namespace WebCore {
bool decodeURLEscapeSequencesTwice = false);
static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true);
+ bool isSameOriginResource(const String& url) const;
bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
bool decodeURLEscapeSequencesTwice = false) const;
bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list