Changeset 133323 in webkit
- Timestamp:
- Nov 2, 2012 11:50:57 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 11 added
- 16 edited
- 5 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r133322 r133323 1 2012-11-02 Tom Sepez <tsepez@chromium.org> 2 3 Support X-XSS-Protection: report=URL header syntax in XSSAuditor. 4 https://bugs.webkit.org/show_bug.cgi?id=100892 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt: 9 * http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt: 10 * http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt: 11 * http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt: 12 * http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt: Added. 13 * http/tests/security/xssAuditor/malformed-xss-protection-header-5.html: Added. 14 * http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt: Added. 15 * http/tests/security/xssAuditor/malformed-xss-protection-header-6.html: Added. 16 * http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt: Added. 17 * http/tests/security/xssAuditor/malformed-xss-protection-header-7.html: Added. 18 * http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt: Added. 19 * http/tests/security/xssAuditor/malformed-xss-protection-header-8.html: Added. 20 * http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt: Added. 21 * http/tests/security/xssAuditor/malformed-xss-protection-header-9.html: Added. 22 * http/tests/security/xssAuditor/report-script-tag-expected.txt: Added. 23 * http/tests/security/xssAuditor/report-script-tag.html: Added. 24 * http/tests/security/xssAuditor/resources/echo-intertag.pl: 25 * http/tests/security/xssAuditor/xss-protection-parsing-03-expected.txt: Added. 26 * http/tests/security/xssAuditor/xss-protection-parsing-03.html: Added. 27 * http/tests/security/xssAuditor/xss-protection-parsing-04-expected.txt: Added. 28 * http/tests/security/xssAuditor/xss-protection-parsing-04.html: Added. 29 1 30 2012-11-02 Ian Vollick <vollick@chromium.org> 2 31 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-1-expected.txt
r133066 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon . The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 12345678901234567: expected semicolon at character position 2. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-2-expected.txt
r133066 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or 1. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: expected 0 or 1 at character position 0. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-3-expected.txt
r133066 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive . The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=purple: invalid mode directive at character position 8. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-4-expected.txt
r133066 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: ex tra characters follow valid header. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block-a-block-block: expected semicolon at character position 14. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-5-expected.txt
r133322 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block -a-block-block: extra characters follow valid header. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block; report: expected equals sign at character position 21. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 4 This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage aftermode=block, and we issue an error4 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report url following mode=block, and we issue an error 5 5 6 6 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-6-expected.txt
r133322 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or1. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; report= ;: invalid report directive at character position 11. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 4 This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.4 This tests that the X-XSS-Protection header is not ignored when there is an incomplete report directive, and we issue an error 5 5 6 6 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-7-expected.txt
r133322 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: red: first non-blank character must be 0 or 1. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; red: unrecognized directive at character position 3. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 4 This tests that the X-XSS-Protection header is not ignored when the first character is not 0 or 1, and that we issue an error.4 This tests that the X-XSS-Protection header is not ignored when there is an invalid directive, and we issue an error 5 5 6 6 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-8-expected.txt
r133322 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block -a-block-block: extra characters follow valid header. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; mode=block;: duplicate mode directive at character position 33. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 4 This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error4 This tests that the X-XSS-Protection header is not ignored when there is an duplicate mode directive, and we issue an error 5 5 6 6 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-9-expected.txt
r133322 r133323 1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block -a-block-block: extra characters follow valid header. The default protections will be applied.1 CONSOLE MESSAGE: Error parsing header X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;: duplicate report directive at character position 35. The default protections will be applied. 2 2 CONSOLE MESSAGE: Refused to execute a JavaScript script. Source code of script found within request. 3 3 4 This tests that the X-XSS-Protection header is not ignored when there is a trailing garbage after mode=block, and we issue an error4 This tests that the X-XSS-Protection header is not ignored when there is a duplicate report directive, and we issue an error 5 5 6 6 -
trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
r133066 r133323 14 14 print "X-XSS-Protection: 1; mode=block\n"; 15 15 } 16 if ($cgi->param('enable-report')) { 17 print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report.php\n"; 18 } 19 16 20 if ($cgi->param('valid-header') == 1) { 17 21 print "X-XSS-Protection: 1 ;MoDe = bLocK \n"; … … 20 24 print "X-XSS-Protection: 1; \n"; 21 25 } 26 if ($cgi->param('valid-header') == 3) { 27 print "X-XSS-Protection: 1; mode=block; \n"; 28 } 29 if ($cgi->param('valid-header') == 4) { 30 print "X-XSS-Protection: 1; report=/security/contentSecurityPolicy/resources/save-report.php; mode=block; \n"; 31 } 32 22 33 if ($cgi->param('malformed-header') == 1) { 23 34 print "X-XSS-Protection: 12345678901234567\n"; … … 31 42 if ($cgi->param('malformed-header') == 4) { 32 43 print "X-XSS-Protection: 1; mode=block-a-block-block\n"; 44 } 45 if ($cgi->param('malformed-header') == 5) { 46 print "X-XSS-Protection: 1; mode=block; report\n"; 47 } 48 if ($cgi->param('malformed-header') == 6) { 49 print "X-XSS-Protection: 1; report= ;\n"; 50 } 51 if ($cgi->param('malformed-header') == 7) { 52 print "X-XSS-Protection: 1; red\n"; 53 } 54 if ($cgi->param('malformed-header') == 8) { 55 print "X-XSS-Protection: 1; mode=block; report=/fail; mode=block;\n"; 56 } 57 if ($cgi->param('malformed-header') == 9) { 58 print "X-XSS-Protection: 1; mode=block; report=/fail; report=/fail;\n"; 33 59 } 34 60 … … 72 98 print "<script>if (/xssAuditorTestCookie/.test(document.cookie)) { alert('FAIL: ' + document.cookie); document.cookie = 'xssAuditorTestCookie=remove; max-age=-1'; } else alert('PASS');</script>\n"; 73 99 } 100 if ($cgi->param('echo-report')) { 101 print "<script src=/security/contentSecurityPolicy/resources/go-to-echo-report.js></script>\n"; 102 } 74 103 print "</body>\n"; 75 104 print "</html>\n"; -
trunk/Source/WebCore/ChangeLog
r133321 r133323 1 2012-11-02 Tom Sepez <tsepez@chromium.org> 2 3 Support X-XSS-Protection: report=URL header syntax in XSSAuditor. 4 https://bugs.webkit.org/show_bug.cgi?id=100892 5 6 Reviewed by Adam Barth. 7 8 This patch adds a security feature which allows a violation report to be sent back 9 to a site when the XSSAuditor detects a reflected XSS against it. It uses the same 10 reporting mechanism as for CSP violation reports. 11 12 Tests: http/tests/security/xssAuditor/malformed-xss-protection-header-5.html 13 http/tests/security/xssAuditor/malformed-xss-protection-header-6.html 14 http/tests/security/xssAuditor/malformed-xss-protection-header-7.html 15 http/tests/security/xssAuditor/malformed-xss-protection-header-8.html 16 http/tests/security/xssAuditor/malformed-xss-protection-header-9.html 17 http/tests/security/xssAuditor/report-script-tag.html 18 http/tests/security/xssAuditor/xss-protection-parsing-03.html 19 http/tests/security/xssAuditor/xss-protection-parsing-04.html 20 21 * html/parser/XSSAuditor.cpp: 22 (WebCore::XSSAuditor::XSSAuditor): 23 (WebCore::XSSAuditor::init): 24 (WebCore::XSSAuditor::filterToken): 25 Invoke Ping loader's violation reporting, if requested, when a reflected 26 XSS is detected. 27 28 * html/parser/XSSAuditor.h: 29 XSSAuditor class need to store the report URL as well as the undigested versions 30 of the request URL and request body for reporting. 31 32 * loader/MixedContentChecker.cpp: 33 (WebCore): 34 * loader/MixedContentChecker.h: 35 (MixedContentChecker): 36 Make isMixedContent() method public. 37 38 * loader/PingLoader.cpp: 39 (WebCore::PingLoader::sendViolationReport): 40 * loader/PingLoader.h: 41 (PingLoader): 42 * page/ContentSecurityPolicy.cpp: 43 (WebCore::ContentSecurityPolicy::reportViolation): 44 Renamed reportContentSecurityPolicyViolation() method to sendViolationReport(), 45 since this is now used to send more than just CSP violations. 46 47 * platform/network/HTTPParsers.cpp: 48 (WebCore): 49 (WebCore::skipEquals): 50 (WebCore::skipValue): 51 (WebCore::parseXSSProtectionHeader): 52 * platform/network/HTTPParsers.h: 53 Parse and return report= directive in X-XSS-Protection header. 54 1 55 2012-11-02 Sheriff Bot <webkit.review.bot@gmail.com> 2 56 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r133249 r133323 33 33 #include "Document.h" 34 34 #include "DocumentLoader.h" 35 #include "FormData.h" 36 #include "FormDataList.h" 35 37 #include "Frame.h" 36 38 #include "FrameLoaderClient.h" … … 40 42 #include "HTMLParamElement.h" 41 43 #include "HTMLParserIdioms.h" 44 #include "InspectorInstrumentation.h" 45 #include "InspectorValues.h" 46 #include "KURL.h" 47 #include "PingLoader.h" 42 48 #include "SecurityOrigin.h" 43 49 #include "Settings.h" … … 168 174 , m_shouldAllowCDATA(false) 169 175 , m_scriptTagNestingLevel(0) 170 , m_notif iedClient(false)176 , m_notifyClient(true) 171 177 { 172 178 ASSERT(m_parser); … … 215 221 m_decodedURL = String(); 216 222 223 String httpBodyAsString; 217 224 if (DocumentLoader* documentLoader = m_parser->document()->frame()->loader()->documentLoader()) { 218 225 DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, (ASCIILiteral("X-XSS-Protection"))); 219 226 String headerValue = documentLoader->response().httpHeaderField(XSSProtectionHeader); 220 227 String errorDetails; 221 m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails); 228 unsigned errorPosition = 0; 229 String reportURL; 230 m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL); 231 232 if ((m_xssProtection == XSSProtectionEnabled || m_xssProtection == XSSProtectionBlockEnabled) && !reportURL.isEmpty()) { 233 m_reportURL = m_parser->document()->completeURL(reportURL); 234 if (MixedContentChecker::isMixedContent(m_parser->document()->securityOrigin(), m_reportURL)) { 235 errorDetails = "insecure reporting URL for secure page"; 236 m_xssProtection = XSSProtectionInvalid; 237 m_reportURL = KURL(); 238 } 239 } 240 222 241 if (m_xssProtection == XSSProtectionInvalid) { 223 DEFINE_STATIC_LOCAL(String, consoleMessageStart, (ASCIILiteral("Error parsing header X-XSS-Protection: "))); 224 DEFINE_STATIC_LOCAL(String, consoleMessageSeparator, (ASCIILiteral(": "))); 225 DEFINE_STATIC_LOCAL(String, consoleMessageEnd, (ASCIILiteral(". The default protections will be applied."))); 226 m_parser->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessageStart + headerValue + consoleMessageSeparator + errorDetails + consoleMessageEnd); 242 m_parser->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": " + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied."); 227 243 m_xssProtection = XSSProtectionEnabled; 228 244 } … … 230 246 FormData* httpBody = documentLoader->originalRequest().httpBody(); 231 247 if (httpBody && !httpBody->isEmpty()) { 232 StringhttpBodyAsString = httpBody->flattenToString();248 httpBodyAsString = httpBody->flattenToString(); 233 249 if (!httpBodyAsString.isEmpty()) { 234 250 m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, decoder); … … 241 257 } 242 258 243 if (m_decodedURL.isEmpty() && m_decodedHTTPBody.isEmpty()) 259 if (m_decodedURL.isEmpty() && m_decodedHTTPBody.isEmpty()) { 244 260 m_isEnabled = false; 261 return; 262 } 263 264 if (!m_reportURL.isEmpty()) { 265 // May need these for reporting later on. 266 m_originalURL = url; 267 m_originalHTTPBody = httpBodyAsString; 268 } 245 269 } 246 270 … … 273 297 m_parser->document()->frame()->loader()->stopAllLoaders(); 274 298 275 if ( !m_notifiedClient) {299 if (m_notifyClient) { 276 300 m_parser->document()->frame()->loader()->client()->didDetectXSS(m_parser->document()->url(), didBlockEntirePage); 277 m_notifiedClient = true; 301 m_notifyClient = false; 302 } 303 304 if (!m_reportURL.isEmpty()) { 305 RefPtr<InspectorObject> reportDetails = InspectorObject::create(); 306 reportDetails->setString("request-url", m_originalURL); 307 reportDetails->setString("request-body", m_originalHTTPBody); 308 309 RefPtr<InspectorObject> reportObject = InspectorObject::create(); 310 reportObject->setObject("xss-report", reportDetails.release()); 311 312 RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8().data()); 313 PingLoader::sendViolationReport(m_parser->document()->frame(), m_reportURL, report); 314 315 m_reportURL = KURL(); 316 m_originalURL = String(); 317 m_originalHTTPBody = String(); 278 318 } 279 319 -
trunk/Source/WebCore/html/parser/XSSAuditor.h
r126120 r133323 86 86 XSSProtectionDisposition m_xssProtection; 87 87 88 String m_originalURL; 89 String m_originalHTTPBody; 88 90 String m_decodedURL; 89 91 String m_decodedHTTPBody; … … 94 96 bool m_shouldAllowCDATA; 95 97 unsigned m_scriptTagNestingLevel; 96 bool m_notifiedClient; 98 bool m_notifyClient; 99 KURL m_reportURL; 97 100 }; 98 101 -
trunk/Source/WebCore/loader/MixedContentChecker.cpp
r133053 r133323 58 58 } 59 59 60 // static 60 61 bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const KURL& url) 61 62 { -
trunk/Source/WebCore/loader/MixedContentChecker.h
r131704 r133323 48 48 bool canDisplayInsecureContent(SecurityOrigin*, const KURL&) const; 49 49 bool canRunInsecureContent(SecurityOrigin*, const KURL&) const; 50 static bool isMixedContent(SecurityOrigin*, const KURL&); 50 51 51 52 private: … … 53 54 FrameLoaderClient* client() const; 54 55 55 static bool isMixedContent(SecurityOrigin*, const KURL&);56 56 void logWarning(bool allowed, const String& action, const KURL&) const; 57 57 -
trunk/Source/WebCore/loader/PingLoader.cpp
r116268 r133323 104 104 } 105 105 106 void PingLoader:: reportContentSecurityPolicyViolation(Frame* frame, const KURL& reportURL, PassRefPtr<FormData> report)106 void PingLoader::sendViolationReport(Frame* frame, const KURL& reportURL, PassRefPtr<FormData> report) 107 107 { 108 108 ResourceRequest request(reportURL); -
trunk/Source/WebCore/loader/PingLoader.h
r95901 r133323 57 57 static void loadImage(Frame*, const KURL& url); 58 58 static void sendPing(Frame*, const KURL& pingURL, const KURL& destinationURL); 59 static void reportContentSecurityPolicyViolation(Frame*, const KURL& reportURL, PassRefPtr<FormData> report);59 static void sendViolationReport(Frame*, const KURL& reportURL, PassRefPtr<FormData> report); 60 60 61 61 ~PingLoader(); -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r133193 r133323 1594 1594 1595 1595 for (size_t i = 0; i < reportURIs.size(); ++i) 1596 PingLoader:: reportContentSecurityPolicyViolation(frame, reportURIs[i], report);1596 PingLoader::sendViolationReport(frame, reportURIs[i], report); 1597 1597 } 1598 1598 -
trunk/Source/WebCore/platform/network/HTTPParsers.cpp
r133066 r133323 82 82 } 83 83 84 // True if the expected equals sign is seen and there is more to follow. 85 static inline bool skipEquals(const String& str, unsigned &pos) 86 { 87 return skipWhiteSpace(str, pos, false) && str[pos++] == '=' && skipWhiteSpace(str, pos, false); 88 } 89 90 // True if a value present, incrementing pos to next space or semicolon, if any. 91 // Note: might return pos == str.length(). 92 static inline bool skipValue(const String& str, unsigned& pos) 93 { 94 unsigned start = pos; 95 unsigned len = str.length(); 96 while (pos < len) { 97 if (str[pos] == ' ' || str[pos] == '\t' || str[pos] == ';') 98 break; 99 ++pos; 100 } 101 return pos != start; 102 } 103 84 104 // See RFC 2616, Section 2.2. 85 105 bool isRFC2616Token(const String& characters) … … 321 341 } 322 342 323 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason )324 { 325 DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral(" first non-blank character must be0 or 1")));343 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL) 344 { 345 DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral("expected 0 or 1"))); 326 346 DEFINE_STATIC_LOCAL(String, failureReasonInvalidSeparator, (ASCIILiteral("expected semicolon"))); 347 DEFINE_STATIC_LOCAL(String, failureReasonInvalidEquals, (ASCIILiteral("expected equals sign"))); 327 348 DEFINE_STATIC_LOCAL(String, failureReasonInvalidMode, (ASCIILiteral("invalid mode directive"))); 328 DEFINE_STATIC_LOCAL(String, failureReasonInvalidExtra, (ASCIILiteral("extra characters follow valid header"))); 349 DEFINE_STATIC_LOCAL(String, failureReasonInvalidReport, (ASCIILiteral("invalid report directive"))); 350 DEFINE_STATIC_LOCAL(String, failureReasonDuplicateMode, (ASCIILiteral("duplicate mode directive"))); 351 DEFINE_STATIC_LOCAL(String, failureReasonDuplicateReport, (ASCIILiteral("duplicate report directive"))); 352 DEFINE_STATIC_LOCAL(String, failureReasonInvalidDirective, (ASCIILiteral("unrecognized directive"))); 329 353 330 354 unsigned pos = 0; … … 341 365 } 342 366 343 if (!skipWhiteSpace(header, pos, false)) 344 return XSSProtectionEnabled; 345 346 if (header[pos++] != ';') { 347 failureReason = failureReasonInvalidSeparator; 348 return XSSProtectionInvalid; 349 } 350 351 if (!skipWhiteSpace(header, pos, false)) 352 return XSSProtectionEnabled; 353 354 if (!(skipToken(header, pos, "mode") 355 && skipWhiteSpace(header, pos, false) 356 && header[pos++] == '=' 357 && skipWhiteSpace(header, pos, false) 358 && skipToken(header, pos, "block"))) { 359 failureReason = failureReasonInvalidMode; 360 return XSSProtectionInvalid; 361 } 362 363 if (skipWhiteSpace(header, pos, false)) { 364 failureReason = failureReasonInvalidExtra; 365 return XSSProtectionInvalid; 366 } 367 368 return XSSProtectionBlockEnabled; 367 XSSProtectionDisposition result = XSSProtectionEnabled; 368 bool modeDirectiveSeen = false; 369 bool reportDirectiveSeen = false; 370 371 while (1) { 372 // At end of previous directive: consume whitespace, semicolon, and whitespace. 373 if (!skipWhiteSpace(header, pos, false)) 374 return result; 375 376 if (header[pos++] != ';') { 377 failureReason = failureReasonInvalidSeparator; 378 failurePosition = pos; 379 return XSSProtectionInvalid; 380 } 381 382 if (!skipWhiteSpace(header, pos, false)) 383 return result; 384 385 // At start of next directive. 386 if (skipToken(header, pos, "mode")) { 387 if (modeDirectiveSeen) { 388 failureReason = failureReasonDuplicateMode; 389 failurePosition = pos; 390 return XSSProtectionInvalid; 391 } 392 modeDirectiveSeen = true; 393 if (!skipEquals(header, pos)) { 394 failureReason = failureReasonInvalidEquals; 395 failurePosition = pos; 396 return XSSProtectionInvalid; 397 } 398 if (!skipToken(header, pos, "block")) { 399 failureReason = failureReasonInvalidMode; 400 failurePosition = pos; 401 return XSSProtectionInvalid; 402 } 403 result = XSSProtectionBlockEnabled; 404 } else if (skipToken(header, pos, "report")) { 405 if (reportDirectiveSeen) { 406 failureReason = failureReasonDuplicateReport; 407 failurePosition = pos; 408 return XSSProtectionInvalid; 409 } 410 reportDirectiveSeen = true; 411 if (!skipEquals(header, pos)) { 412 failureReason = failureReasonInvalidEquals; 413 failurePosition = pos; 414 return XSSProtectionInvalid; 415 } 416 size_t startPos = pos; 417 if (!skipValue(header, pos)) { 418 failureReason = failureReasonInvalidReport; 419 failurePosition = pos; 420 return XSSProtectionInvalid; 421 } 422 reportURL = header.substring(startPos, pos - startPos); 423 failurePosition = startPos; // If later semantic check deems unacceptable. 424 } else { 425 failureReason = failureReasonInvalidDirective; 426 failurePosition = pos; 427 return XSSProtectionInvalid; 428 } 429 } 369 430 } 370 431 -
trunk/Source/WebCore/platform/network/HTTPParsers.h
r133066 r133323 62 62 String extractCharsetFromMediaType(const String&); 63 63 void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0); 64 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason );64 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL); 65 65 String extractReasonPhraseFromHTTPStatusLine(const String&); 66 66
Note: See TracChangeset
for help on using the changeset viewer.