Changeset 145331 in webkit
- Timestamp:
- Mar 10, 2013 12:57:08 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r145327 r145331 1 2013-03-10 Mike West <mkwst@chromium.org> 2 3 XSSAuditor doesn't need a copy of the original document URL. 4 https://bugs.webkit.org/show_bug.cgi?id=111944 5 6 Reviewed by Adam Barth. 7 8 When creating an XSSInfo object in response to detecting reflected XSS 9 on a page, the Auditor was passing in a copy of the document's 10 original URL for reporting. It doesn't look like we need this, as 11 XSSInfo's only consumer, XSSAuditorDelegate, runs on the main thread 12 with access to the document. We can obtain access to the same 13 information by reading the URL directly from the delegate's Document 14 object if and when we need it. 15 16 * html/parser/XSSAuditorDelegate.cpp: 17 (WebCore::XSSAuditorDelegate::didBlockScript): 18 Read the document's URL directly in order to create a violation 19 report. 20 (WebCore::XSSInfo::isSafeToSendToAnotherThread): 21 * html/parser/XSSAuditorDelegate.h: 22 (WebCore::XSSInfo::create): 23 (WebCore::XSSInfo::XSSInfo): 24 * html/parser/XSSAuditor.cpp: 25 (WebCore::XSSAuditor::init): 26 (WebCore::XSSAuditor::filterToken): 27 (WebCore::XSSAuditor::isSafeToSendToAnotherThread): 28 * html/parser/XSSAuditor.h: 29 Remove the copied original URL from both XSSInfo objects and the 30 XSSAuditor. 31 1 32 2013-03-10 Andreas Kling <akling@apple.com> 2 33 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r145115 r145331 313 313 } 314 314 315 if (!m_reportURL.isEmpty()) { 316 // May need these for reporting later on. 317 m_originalURL = m_documentURL.string().isolatedCopy(); 315 if (!m_reportURL.isEmpty()) 318 316 m_originalHTTPBody = httpBodyAsString; 319 }320 317 } 321 318 … … 338 335 if (didBlockScript) { 339 336 bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS); 340 OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_original URL, m_originalHTTPBody, didBlockEntirePage);337 OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalHTTPBody, didBlockEntirePage); 341 338 if (!m_reportURL.isEmpty()) { 342 339 m_reportURL = KURL(); 343 m_originalURL = String();344 340 m_originalHTTPBody = String(); 345 341 } … … 732 728 { 733 729 return m_documentURL.isSafeToSendToAnotherThread() 734 && m_originalURL.isSafeToSendToAnotherThread()735 730 && m_originalHTTPBody.isSafeToSendToAnotherThread() 736 731 && m_decodedURL.isSafeToSendToAnotherThread() -
trunk/Source/WebCore/html/parser/XSSAuditor.h
r145115 r145331 106 106 ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection; 107 107 108 String m_originalURL;109 108 String m_originalHTTPBody; 110 109 String m_decodedURL; -
trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp
r145115 r145331 44 44 { 45 45 return m_reportURL.isSafeToSendToAnotherThread() 46 && m_originalURL.isSafeToSendToAnotherThread()47 46 && m_originalHTTPBody.isSafeToSendToAnotherThread(); 48 47 } … … 74 73 if (!xssInfo.m_reportURL.isEmpty()) { 75 74 RefPtr<InspectorObject> reportDetails = InspectorObject::create(); 76 reportDetails->setString("request-url", xssInfo.m_originalURL);75 reportDetails->setString("request-url", m_document->url().string()); 77 76 reportDetails->setString("request-body", xssInfo.m_originalHTTPBody); 78 77 -
trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h
r145115 r145331 40 40 class XSSInfo { 41 41 public: 42 static PassOwnPtr<XSSInfo> create(const KURL& reportURL, const String& original URL, const String& originalHTTPBody, bool didBlockEntirePage)42 static PassOwnPtr<XSSInfo> create(const KURL& reportURL, const String& originalHTTPBody, bool didBlockEntirePage) 43 43 { 44 return adoptPtr(new XSSInfo(reportURL, original URL, originalHTTPBody, didBlockEntirePage));44 return adoptPtr(new XSSInfo(reportURL, originalHTTPBody, didBlockEntirePage)); 45 45 } 46 46 … … 48 48 49 49 KURL m_reportURL; 50 String m_originalURL;51 50 String m_originalHTTPBody; 52 51 bool m_didBlockEntirePage; … … 54 53 55 54 private: 56 XSSInfo(const KURL& reportURL, const String& original URL, const String& originalHTTPBody, bool didBlockEntirePage)55 XSSInfo(const KURL& reportURL, const String& originalHTTPBody, bool didBlockEntirePage) 57 56 : m_reportURL(reportURL) 58 , m_originalURL(originalURL)59 57 , m_originalHTTPBody(originalHTTPBody) 60 58 , m_didBlockEntirePage(didBlockEntirePage)
Note: See TracChangeset
for help on using the changeset viewer.