Changeset 50631 in webkit
- Timestamp:
- Nov 8, 2009 5:18:08 PM (14 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r50626 r50631 1 2009-11-08 Daniel Bates <dbates@webkit.org> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=31098 6 7 Tests that the XSSAuditor prevents loading plugin-based content that is not 8 from the same-origin as the enclosing page. 9 10 * http/tests/security/xssAuditor/object-src-inject-expected.txt: Added. 11 * http/tests/security/xssAuditor/object-src-inject.html: Added. 12 * http/tests/security/xssAuditor/resources/echo-object-src.pl: Added. 13 1 14 2009-11-08 Shu Chang <Chang.Shu@nokia.com> 2 15 -
trunk/WebCore/ChangeLog
r50630 r50631 1 2009-11-08 Daniel Bates <dbates@webkit.org> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=31098 6 7 Allows same-origin plugin-based content to load. 8 9 Test: http/tests/security/xssAuditor/object-src-inject.html 10 11 * page/XSSAuditor.cpp: 12 (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): Modified to call XSSAuditor::isSameOriginResource. 13 (WebCore::XSSAuditor::canLoadObject): Ditto. 14 (WebCore::XSSAuditor::canSetBaseElementURL): Ditto. 15 (WebCore::XSSAuditor::isSameOriginResource): Added. 16 * page/XSSAuditor.h: 17 1 18 2009-11-08 David Levin <levin@chromium.org> 2 19 -
trunk/WebCore/page/XSSAuditor.cpp
r49668 r50631 145 145 return true; 146 146 147 // If the script is loaded from the same URL as the enclosing page, it's 148 // probably not an XSS attack, so we reduce false positives by allowing the 149 // script. If the script has a query string, we're more suspicious, 150 // however, because that's pretty rare and the attacker might be able to 151 // trick a server-side script into doing something dangerous with the query 152 // string. 153 KURL scriptURL(m_frame->document()->url(), url); 154 if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty()) 147 if (isSameOriginResource(url)) 155 148 return true; 156 149 … … 168 161 return true; 169 162 163 if (isSameOriginResource(url)) 164 return true; 165 170 166 if (findInRequest(url)) { 171 167 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); … … 180 176 if (!isEnabled()) 181 177 return true; 182 183 KURL baseElementURL(m_frame->document()->url(), url); 184 if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) { 178 179 if (isSameOriginResource(url)) 180 return true; 181 182 if (findInRequest(url)) { 185 183 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); 186 184 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 256 254 } 257 255 256 bool XSSAuditor::isSameOriginResource(const String& url) const 257 { 258 // If the resource is loaded from the same URL as the enclosing page, it's 259 // probably not an XSS attack, so we reduce false positives by allowing the 260 // request. If the resource has a query string, we're more suspicious, 261 // however, because that's pretty rare and the attacker might be able to 262 // trick a server-side script into doing something dangerous with the query 263 // string. 264 KURL resourceURL(m_frame->document()->url(), url); 265 return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty()); 266 } 267 258 268 bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 259 269 bool decodeURLEscapeSequencesTwice) const -
trunk/WebCore/page/XSSAuditor.h
r49668 r50631 123 123 static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true); 124 124 125 bool isSameOriginResource(const String& url) const; 125 126 bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 126 127 bool decodeURLEscapeSequencesTwice = false) const;
Note: See TracChangeset
for help on using the changeset viewer.