Changeset 52532 in webkit

Timestamp:

Dec 23, 2009 3:22:34 PM (14 years ago)

Author:

abarth@webkit.org

Message:

2009-12-23 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

"Refused to execute a JavaScript script" error when embedding SWF with
a URL that is also a query parameter
​https://bugs.webkit.org/show_bug.cgi?id=32908

Update expected results to show that we don't raise an alarm in this case.

• http/tests/security/xssAuditor/object-src-inject-expected.txt:

2009-12-23 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

"Refused to execute a JavaScript script" error when embedding SWF with
a URL that is also a query parameter
​https://bugs.webkit.org/show_bug.cgi?id=32908

Don't block direct injections into the object src attribute unless
there's an illegal character (like < or ") in the URL. This change
lets some very unusual vulnerabilities through the filter but removes a
false positive that we've seen several times.

• page/XSSAuditor.cpp: (WebCore::XSSAuditor::canLoadObject):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/object-src-inject-expected.txt (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/page/XSSAuditor.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-12-23  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        "Refused to execute a JavaScript script" error when embedding SWF with
+        a URL that is also a query parameter
+        https://bugs.webkit.org/show_bug.cgi?id=32908
+
+        Update expected results to show that we don't raise an alarm in this case.
+
+        * http/tests/security/xssAuditor/object-src-inject-expected.txt:
+
 2009-12-23  Dan Bernstein  <mitz@apple.com>
 

trunk/LayoutTests/http/tests/security/xssAuditor/object-src-inject-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Refused to load an object. URL found within request: "http://127.0.0.1:8000/security/xssAuditor/resources/dummy.swf".
 
-

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-12-23  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        "Refused to execute a JavaScript script" error when embedding SWF with
+        a URL that is also a query parameter
+        https://bugs.webkit.org/show_bug.cgi?id=32908
+
+        Don't block direct injections into the object src attribute unless
+        there's an illegal character (like < or ") in the URL.  This change
+        lets some very unusual vulnerabilities through the filter but removes a
+        false positive that we've seen several times.
+
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::canLoadObject):
+
 2009-12-23  Dumitru Daniliuc  <dumi@chromium.org>
 

trunk/WebCore/page/XSSAuditor.cpp

@@ -164 +164 @@
         return true;
 
-    if (findInRequest(url)) {
+    if (findInRequest(url, true, true)) {
         String consoleMessage = String::format("Refused to load an object. URL found within request: \"%s\".\n", url.utf8().data());
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());