Changeset 50631 in webkit


Ignore:
Timestamp:
Nov 8, 2009 5:18:08 PM (14 years ago)
Author:
dbates@webkit.org
Message:

2009-11-08 Daniel Bates <dbates@webkit.org>

Reviewed by Adam Barth.

https://bugs.webkit.org/show_bug.cgi?id=31098

Allows same-origin plugin-based content to load.

Test: http/tests/security/xssAuditor/object-src-inject.html

  • page/XSSAuditor.cpp: (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): Modified to call XSSAuditor::isSameOriginResource. (WebCore::XSSAuditor::canLoadObject): Ditto. (WebCore::XSSAuditor::canSetBaseElementURL): Ditto. (WebCore::XSSAuditor::isSameOriginResource): Added.
  • page/XSSAuditor.h:

2009-11-08 Daniel Bates <dbates@webkit.org>

Reviewed by Adam Barth.

https://bugs.webkit.org/show_bug.cgi?id=31098

Tests that the XSSAuditor prevents loading plugin-based content that is not
from the same-origin as the enclosing page.

  • http/tests/security/xssAuditor/object-src-inject-expected.txt: Added.
  • http/tests/security/xssAuditor/object-src-inject.html: Added.
  • http/tests/security/xssAuditor/resources/echo-object-src.pl: Added.
Location:
trunk
Files:
3 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r50626 r50631  
     12009-11-08  Daniel Bates  <dbates@webkit.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=31098
     6
     7        Tests that the XSSAuditor prevents loading plugin-based content that is not
     8        from the same-origin as the enclosing page.
     9
     10        * http/tests/security/xssAuditor/object-src-inject-expected.txt: Added.
     11        * http/tests/security/xssAuditor/object-src-inject.html: Added.
     12        * http/tests/security/xssAuditor/resources/echo-object-src.pl: Added.
     13
    1142009-11-08  Shu Chang  <Chang.Shu@nokia.com>
    215

  • trunk/WebCore/ChangeLog

    r50630 r50631  
     12009-11-08  Daniel Bates  <dbates@webkit.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=31098
     6
     7        Allows same-origin plugin-based content to load.
     8
     9        Test: http/tests/security/xssAuditor/object-src-inject.html
     10
     11        * page/XSSAuditor.cpp:
     12        (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): Modified to call XSSAuditor::isSameOriginResource.
     13        (WebCore::XSSAuditor::canLoadObject): Ditto.
     14        (WebCore::XSSAuditor::canSetBaseElementURL): Ditto.
     15        (WebCore::XSSAuditor::isSameOriginResource): Added.
     16        * page/XSSAuditor.h:
     17
    1182009-11-08  David Levin  <levin@chromium.org>
    219

  • trunk/WebCore/page/XSSAuditor.cpp

    r49668 r50631  
    145145        return true;
    146146
    147     // If the script is loaded from the same URL as the enclosing page, it's
    148     // probably not an XSS attack, so we reduce false positives by allowing the
    149     // script. If the script has a query string, we're more suspicious,
    150     // however, because that's pretty rare and the attacker might be able to
    151     // trick a server-side script into doing something dangerous with the query
    152     // string.
    153     KURL scriptURL(m_frame->document()->url(), url);
    154     if (m_frame->document()->url().host() == scriptURL.host() && scriptURL.query().isEmpty())
     147    if (isSameOriginResource(url))
    155148        return true;
    156149
     
    168161        return true;
    169162
     163    if (isSameOriginResource(url))
     164        return true;
     165
    170166    if (findInRequest(url)) {
    171167        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
     
    180176    if (!isEnabled())
    181177        return true;
    182    
    183     KURL baseElementURL(m_frame->document()->url(), url);
    184     if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) {
     178
     179    if (isSameOriginResource(url))
     180        return true;
     181
     182    if (findInRequest(url)) {
    185183        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
    186184        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    256254}
    257255
     256bool XSSAuditor::isSameOriginResource(const String& url) const
     257{
     258    // If the resource is loaded from the same URL as the enclosing page, it's
     259    // probably not an XSS attack, so we reduce false positives by allowing the
     260    // request. If the resource has a query string, we're more suspicious,
     261    // however, because that's pretty rare and the attacker might be able to
     262    // trick a server-side script into doing something dangerous with the query
     263    // string.
     264    KURL resourceURL(m_frame->document()->url(), url);
     265    return (m_frame->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
     266}
     267
    258268bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,
    259269                               bool decodeURLEscapeSequencesTwice) const

  • trunk/WebCore/page/XSSAuditor.h

    r49668 r50631  
    123123        static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true);
    124124
     125        bool isSameOriginResource(const String& url) const;
    125126        bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
    126127                           bool decodeURLEscapeSequencesTwice = false) const;
Note: See TracChangeset for help on using the changeset viewer.