[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
dbates at webkit.org
dbates at webkit.org
Thu Feb 4 21:36:11 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit e3e9ddc6da3ef0dcc27658b27368e54a474386c7
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Feb 2 05:13:33 2010 +0000
2010-02-01 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=27312
Implements support for full page blocking via the X-XSS-Protection header.
Tests: http/tests/security/xssAuditor/full-block-base-href.html
http/tests/security/xssAuditor/full-block-get-from-iframe.html
http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
http/tests/security/xssAuditor/full-block-javascript-link.html
http/tests/security/xssAuditor/full-block-link-onclick.html
http/tests/security/xssAuditor/full-block-object-tag.html
http/tests/security/xssAuditor/full-block-post-from-iframe.html
http/tests/security/xssAuditor/full-block-script-tag-with-source.html
http/tests/security/xssAuditor/full-block-script-tag.html
http/tests/security/xssAuditor/malformed-xss-protection-header.html
* page/XSSAuditor.cpp:
(WebCore::XSSAuditor::shouldFullPageBlockForXSSProtectionHeader): Added.
(WebCore::XSSAuditor::findInRequest): Modified to call method
XSSAuditor::shouldFullPageBlockForXSSProtectionHeader.
* page/XSSAuditor.h: Defined method shouldFullPageBlockForXSSProtectionHeader
and fixed misspelled words in large comment block.
2010-02-01 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=27312
Tests that the header "X-XSS-Protection: full-block" leads to a full page block
when an XSS attack is detected.
* http/tests/security/xssAuditor/full-block-base-href-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-base-href.html: Added.
* http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-get-from-iframe.html: Added.
* http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-iframe-javascript-url.html: Added.
* http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-iframe-no-inherit.php: Added.
* http/tests/security/xssAuditor/full-block-javascript-link-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-javascript-link.html: Added.
* http/tests/security/xssAuditor/full-block-link-onclick-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-link-onclick.html: Added.
* http/tests/security/xssAuditor/full-block-object-tag-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-object-tag.html: Added.
* http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-post-from-iframe.html: Added.
* http/tests/security/xssAuditor/full-block-script-tag-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt: Added.
* http/tests/security/xssAuditor/full-block-script-tag-with-source.html: Added.
* http/tests/security/xssAuditor/full-block-script-tag.html: Added.
* http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: Added.
* http/tests/security/xssAuditor/malformed-xss-protection-header.html: Added.
* http/tests/security/xssAuditor/resources/echo-head-base-href.pl: Modified to optionally
enable full page blocking.
* http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl: Ditto.
* http/tests/security/xssAuditor/resources/echo-intertag.pl: Ditto.
* http/tests/security/xssAuditor/resources/utilities.js:
(checkIfFrameLocationMatchesURLAndCallDone): Added.
(sendRequestFromIFrame): Modified to optionally call callback function when done.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54202 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5567811..409ff7b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,42 @@
+2010-02-01 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=27312
+
+ Tests that the header "X-XSS-Protection: full-block" leads to a full page block
+ when an XSS attack is detected.
+
+ * http/tests/security/xssAuditor/full-block-base-href-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-base-href.html: Added.
+ * http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-get-from-iframe.html: Added.
+ * http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-iframe-javascript-url.html: Added.
+ * http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-iframe-no-inherit.php: Added.
+ * http/tests/security/xssAuditor/full-block-javascript-link-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-javascript-link.html: Added.
+ * http/tests/security/xssAuditor/full-block-link-onclick-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-link-onclick.html: Added.
+ * http/tests/security/xssAuditor/full-block-object-tag-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-object-tag.html: Added.
+ * http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-post-from-iframe.html: Added.
+ * http/tests/security/xssAuditor/full-block-script-tag-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt: Added.
+ * http/tests/security/xssAuditor/full-block-script-tag-with-source.html: Added.
+ * http/tests/security/xssAuditor/full-block-script-tag.html: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: Added.
+ * http/tests/security/xssAuditor/malformed-xss-protection-header.html: Added.
+ * http/tests/security/xssAuditor/resources/echo-head-base-href.pl: Modified to optionally
+ enable full page blocking.
+ * http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl: Ditto.
+ * http/tests/security/xssAuditor/resources/echo-intertag.pl: Ditto.
+ * http/tests/security/xssAuditor/resources/utilities.js:
+ (checkIfFrameLocationMatchesURLAndCallDone): Added.
+ (sendRequestFromIFrame): Modified to optionally call callback function when done.
+
2010-02-01 Shinichiro Hamaji <hamaji at chromium.org>
Reviewed by Dmitry Titov.
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
new file mode 100644
index 0000000..797587d
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-base-href-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to load from document base URL. URL found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-base-href.html b/LayoutTests/http/tests/security/xssAuditor/full-block-base-href.html
new file mode 100644
index 0000000..1aaf2c0
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-base-href.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-head-base-href.pl?enable-full-block=1&q=<base href='http://localhost:8000/security/xssAuditor/resources/base-href/'>">
+</iframe>
+</body>
+</html>
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
new file mode 100644
index 0000000..dfab090
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe-expected.txt
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe.html b/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe.html
new file mode 100644
index 0000000..5a81a5a
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-get-from-iframe.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+function done()
+{
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+window.onload = function()
+{
+ sendRequestFromIFrame("http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl","enable-full-block=1&q=<script>alert(/XSS/)<\/script>","GET", done);
+};
+</script>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
new file mode 100644
index 0000000..e192ae7
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url.html b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
new file mode 100644
index 0000000..64c43e9
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src='http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=%3Ciframe%20src=javascript:alert(document.domain)%3E'>
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
new file mode 100644
index 0000000..d65be04
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+This tests that the header X-XSS-Protection is not inherited by the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+If you see this message and no JavaScript alert() then the test PASSED.
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit.php b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
new file mode 100644
index 0000000..9f665eb
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
@@ -0,0 +1,26 @@
+<?php
+header("X-XSS-Protection: full-block");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://127.0.0.1:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+function checkIfDone()
+{
+ checkIfFrameLocationMatchesURLAndCallDone('frame', encodeURI(document.getElementById('frame').src));
+}
+</script>
+</head>
+<body>
+<p>This tests that the header X-XSS-Protection is not inherited by the iframe below:</p>
+<iframe id="frame" onload="checkIfDone()" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
new file mode 100644
index 0000000..e192ae7
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link.html b/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link.html
new file mode 100644
index 0000000..65cd034
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-javascript-link.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src='http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?enable-full-block=1&elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3Aalert%28/XSS/%29%3Etest%3C/a%3E'>
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
new file mode 100644
index 0000000..e192ae7
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick.html b/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick.html
new file mode 100644
index 0000000..aaeb07b
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-link-onclick.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<a%20onclick='alert(/XSS/)'>Click</a>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
new file mode 100644
index 0000000..dd1ca50
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to load an object. URL found within request: "http://localhost:8000/security/xssAuditor/resources/dummy.swf".
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag.html b/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag.html
new file mode 100644
index 0000000..b071961
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-object-tag.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<object name='plugin' type='application/x-webkit-test-netscape'><param name='movie' value='http://localhost:8000/security/xssAuditor/resources/dummy.swf' /></object>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
new file mode 100644
index 0000000..dfab090
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe-expected.txt
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe.html b/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe.html
new file mode 100644
index 0000000..68f0de4
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-post-from-iframe.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+function done()
+{
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+window.onload = function()
+{
+ sendRequestFromIFrame("http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl","enable-full-block=1&q=<script>alert(/XSS/)<\/script>","POST", done);
+};
+</script>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
new file mode 100644
index 0000000..e192ae7
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
new file mode 100644
index 0000000..e192ae7
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+There should be no content in the iframe below:
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source.html b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source.html
new file mode 100644
index 0000000..097790b
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag-with-source.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<script src='http://localhost:8000/security/xssAuditor/resources/xss.js'></script>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
new file mode 100644
index 0000000..1c39139
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/full-block-script-tag.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>There should be no content in the iframe below:</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?enable-full-block=1&q=<script>alert(/XSS/)</script>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt b/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt
new file mode 100644
index 0000000..0eefad3
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters.
+
+
+
+--------
+Frame: 'frame'
+--------
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html b/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html
new file mode 100644
index 0000000..680c455
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="http://localhost:8000/security/xssAuditor/resources/utilities.js"></script>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="https://bugs.webkit.org/show_bug.cgi?id=27312#c13">16 characters.</a></p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
index 41b1fef..01a5895 100755
--- a/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
@@ -4,6 +4,9 @@ use CGI;
my $cgi = new CGI;
+if ($cgi->param('enable-full-block')) {
+ print "X-XSS-Protection: 12\n";
+}
print "Content-Type: text/html; charset=UTF-8\n\n";
print "<!DOCTYPE html>\n";
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
index 5df3d51..97f37fc 100755
--- a/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
@@ -4,6 +4,9 @@ use CGI;
my $cgi = new CGI;
+if ($cgi->param('enable-full-block')) {
+ print "X-XSS-Protection: 12\n";
+}
print "Content-Type: text/html; charset=UTF-8\n\n";
print "<!DOCTYPE html>\n";
@@ -20,9 +23,17 @@ print "</script>\n";
print "</head>\n";
print "<body>\n";
print $cgi->param('q');
-print "<script>\n";
-print "if (window.layoutTestController)\n";
-print " layoutTestController.notifyDone();\n";
-print "</script>\n";
+if ($cgi->param('enable-full-block')) {
+ # Note, when testing a full-page-block, we can't call layoutTestController.notifyDone()
+ # on the generated page because it takes some time for the frame to be redirected to
+ # about:blank. Hence, the caller of this Perl script must call layoutTestController.notifyDone()
+ # after the redirect has occurred.
+ print "<p>If you see this message then the test FAILED.</p>\n";
+} else {
+ print "<script>\n";
+ print "if (window.layoutTestController)\n";
+ print " layoutTestController.notifyDone();\n";
+ print "</script>\n";
+}
print "</body>\n";
print "</html>\n";
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
index cd7631f..05046ab 100755
--- a/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
@@ -4,6 +4,12 @@ use CGI;
my $cgi = new CGI;
+if ($cgi->param('enable-full-block')) {
+ print "X-XSS-Protection: 12\n";
+}
+if ($cgi->param('custom-header')) {
+ print $cgi->param('custom-header') . "\n";
+}
print "Content-Type: text/html; charset=UTF-8\n\n";
print "<!DOCTYPE html>\n";
@@ -16,5 +22,8 @@ if ($cgi->param('notifyDone')) {
print " layoutTestController.notifyDone();\n";
print "</script>\n";
}
+if ($cgi->param('enable-full-block')) {
+ print "<p>If you see this message then the test FAILED.</p>\n";
+}
print "</body>\n";
print "</html>\n";
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js b/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js
index 4688334..d612ae1 100644
--- a/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/utilities.js
@@ -1,4 +1,12 @@
-function sendRequestFromIFrame(url, params, HTTPMethod)
+function checkIfFrameLocationMatchesURLAndCallDone(frameId, expectedURL)
+{
+ if (!window.layoutTestController)
+ return;
+ if (document.getElementById(frameId).contentWindow.location == expectedURL)
+ layoutTestController.notifyDone();
+}
+
+function sendRequestFromIFrame(url, params, HTTPMethod, callbackWhenDone)
{
if (!params || !params.length)
return;
@@ -23,5 +31,7 @@ function sendRequestFromIFrame(url, params, HTTPMethod)
}
frameContent.write('</form>');
frameContent.close();
+ if (callbackWhenDone)
+ iFrameObj.onload = callbackWhenDone;
frameContent.getElementById('form').submit();
-}
\ No newline at end of file
+}
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 1b082f1..2cd3f3f 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,30 @@
+2010-02-01 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=27312
+
+ Implements support for full page blocking via the X-XSS-Protection header.
+
+ Tests: http/tests/security/xssAuditor/full-block-base-href.html
+ http/tests/security/xssAuditor/full-block-get-from-iframe.html
+ http/tests/security/xssAuditor/full-block-iframe-javascript-url.html
+ http/tests/security/xssAuditor/full-block-iframe-no-inherit.php
+ http/tests/security/xssAuditor/full-block-javascript-link.html
+ http/tests/security/xssAuditor/full-block-link-onclick.html
+ http/tests/security/xssAuditor/full-block-object-tag.html
+ http/tests/security/xssAuditor/full-block-post-from-iframe.html
+ http/tests/security/xssAuditor/full-block-script-tag-with-source.html
+ http/tests/security/xssAuditor/full-block-script-tag.html
+ http/tests/security/xssAuditor/malformed-xss-protection-header.html
+
+ * page/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::shouldFullPageBlockForXSSProtectionHeader): Added.
+ (WebCore::XSSAuditor::findInRequest): Modified to call method
+ XSSAuditor::shouldFullPageBlockForXSSProtectionHeader.
+ * page/XSSAuditor.h: Defined method shouldFullPageBlockForXSSProtectionHeader
+ and fixed misspelled words in large comment block.
+
2010-02-01 Kwang Yul Seo <skyul at company100.net>
Reviewed by Eric Seidel.
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 0129b52..b71fa49 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -290,14 +290,38 @@ bool XSSAuditor::isSameOriginResource(const String& url) const
return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
}
+bool XSSAuditor::shouldFullPageBlockForXSSProtectionHeader() const
+{
+ // If we detect an XSS attack and find the HTTP header "X-XSS-Protection: 12" then
+ // we will stop loading the page as opposed to ignoring the script. The value "12"
+ // came from a personal communication, see <https://bugs.webkit.org/show_bug.cgi?id=27312>
+ // for more details.
+ DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, ("X-XSS-Protection"));
+
+ Frame* frame = m_frame;
+ if (frame->document()->url() == blankURL())
+ frame = m_frame->tree()->parent();
+
+ // We strip any whitespace characters to conform to the behavior in Internet Explorer.
+ String xssProtectionValue = frame->loader()->documentLoader()->response().httpHeaderField(XSSProtectionHeader).stripWhiteSpace();
+ return (xssProtectionValue.length() >= 2 && xssProtectionValue[0] == '1' && xssProtectionValue[1] == '2');
+}
+
bool XSSAuditor::findInRequest(const FindTask& task) const
{
bool result = false;
Frame* parentFrame = m_frame->tree()->parent();
+ Frame* blockFrame = parentFrame;
if (parentFrame && m_frame->document()->url() == blankURL())
result = findInRequest(parentFrame, task);
- if (!result)
+ if (!result) {
result = findInRequest(m_frame, task);
+ blockFrame = m_frame;
+ }
+ if (result && blockFrame && shouldFullPageBlockForXSSProtectionHeader()) {
+ blockFrame->loader()->stopAllLoaders();
+ blockFrame->redirectScheduler()->scheduleLocationChange(blankURL(), String());
+ }
return result;
}
diff --git a/WebCore/page/XSSAuditor.h b/WebCore/page/XSSAuditor.h
index d976f52..3ad50a1 100644
--- a/WebCore/page/XSSAuditor.h
+++ b/WebCore/page/XSSAuditor.h
@@ -36,7 +36,7 @@ namespace WebCore {
class ScriptSourceCode;
// The XSSAuditor class is used to prevent type 1 cross-site scripting
- // vulnerabilites (also known as reflected vulnerabilities).
+ // vulnerabilities (also known as reflected vulnerabilities).
//
// More specifically, the XSSAuditor class decides whether the execution of
// a script is to be allowed or denied based on the content of any
@@ -53,7 +53,7 @@ namespace WebCore {
//
// Bindings
//
- // An XSSAuditor is instantiated within the contructor of a
+ // An XSSAuditor is instantiated within the constructor of a
// ScriptController object and passed the Frame the script originated. The
// ScriptController calls back to the XSSAuditor to determine whether a
// JavaScript script is safe to execute before executing it. The following
@@ -144,6 +144,8 @@ namespace WebCore {
bool findInRequest(const FindTask&) const;
bool findInRequest(Frame*, const FindTask&) const;
+ bool shouldFullPageBlockForXSSProtectionHeader() const;
+
// The frame to audit.
Frame* m_frame;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list