Changeset 56295 in webkit
- Timestamp:
- Mar 19, 2010 8:55:13 PM (14 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 11 edited
- 2 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r56291 r56295 1 2010-03-19 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Daniel Bates. 4 5 Change XSSAuditor block syntax 6 https://bugs.webkit.org/show_bug.cgi?id=34436 7 8 Update tests to account for the new blocking syntax. Added test for 9 disabling the XSS filter. 10 11 * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt: 12 * http/tests/security/xssAuditor/malformed-xss-protection-header.html: 13 * http/tests/security/xssAuditor/no-protection-script-tag-expected.txt: Added. 14 * http/tests/security/xssAuditor/no-protection-script-tag.html: Added. 15 * http/tests/security/xssAuditor/resources/echo-head-base-href.pl: 16 * http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl: 17 * http/tests/security/xssAuditor/resources/echo-intertag.pl: 18 * http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt: Added. 19 * http/tests/security/xssAuditor/xss-protection-parsing-01.html: Added. 20 1 21 2010-03-19 Zhenyao Mo <zmo@google.com> 2 22 -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt
r54202 r56295 8 8 Frame: 'frame' 9 9 -------- 10 10 If you see this message and no JavaScript alert() then the test PASSED. -
trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html
r54202 r56295 14 14 <body> 15 15 <p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="https://bugs.webkit.org/show_bug.cgi?id=27312#c13">16 characters.</a></p> 16 <iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl? custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">16 <iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>"> 17 17 </iframe> 18 18 </body> -
trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl
r54202 r56295 6 6 7 7 if ($cgi->param('enable-full-block')) { 8 print "X-XSS-Protection: 1 2\n";8 print "X-XSS-Protection: 1; mode=block\n"; 9 9 } 10 10 print "Content-Type: text/html; charset=UTF-8\n\n"; -
trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl
r54202 r56295 6 6 7 7 if ($cgi->param('enable-full-block')) { 8 print "X-XSS-Protection: 1 2\n";8 print "X-XSS-Protection: 1; mode=block\n"; 9 9 } 10 10 print "Content-Type: text/html; charset=UTF-8\n\n"; -
trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
r54202 r56295 6 6 7 7 if ($cgi->param('enable-full-block')) { 8 print "X-XSS-Protection: 12\n"; 8 print "X-XSS-Protection: 1; mode=block\n"; 9 } 10 if ($cgi->param('disable-protection')) { 11 print "X-XSS-Protection: 0\n"; 12 } 13 if ($cgi->param('crazy-header')) { 14 print "X-XSS-Protection: 1 ;MoDe = bLocK \n"; 9 15 } 10 16 if ($cgi->param('custom-header')) { -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt
r56294 r56295 1 1 CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request. 2 2 3 This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters.3 This tests our parsing of the X-XSS-Protection header. 4 4 5 5 -
trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01.html
r56294 r56295 13 13 </head> 14 14 <body> 15 <p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="https://bugs.webkit.org/show_bug.cgi?id=27312#c13">16 characters.</a></p>16 <iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?c ustom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">15 <p>This tests our parsing of the X-XSS-Protection header.</p> 16 <iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?crazy-header=1&q=<script>alert(/XSS/)</script><p>If you see this message then the test FAILED.</p>"> 17 17 </iframe> 18 18 </body> -
trunk/WebCore/ChangeLog
r56293 r56295 1 2010-03-19 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Daniel Bates. 4 5 Change XSSAuditor block syntax 6 https://bugs.webkit.org/show_bug.cgi?id=34436 7 8 Update our blocking syntax to something more reasonable. Also, 9 implemented a way for a web site to disable the filter. 10 11 Tests: http/tests/security/xssAuditor/no-protection-script-tag.html 12 http/tests/security/xssAuditor/xss-protection-parsing-01.html 13 14 * page/XSSAuditor.cpp: 15 (WebCore::XSSAuditor::xssProtection): 16 (WebCore::XSSAuditor::findInRequest): 17 * page/XSSAuditor.h: 18 * platform/network/HTTPParsers.cpp: 19 (WebCore::skipToken): 20 (WebCore::parseXSSProtectionHeader): 21 * platform/network/HTTPParsers.h: 22 (WebCore::): 23 1 24 2010-03-19 Eric Uhrhane <ericu@chromium.org> 2 25 -
trunk/WebCore/page/XSSAuditor.cpp
r55290 r56295 291 291 } 292 292 293 bool XSSAuditor::shouldFullPageBlockForXSSProtectionHeader() const 294 { 295 // If we detect an XSS attack and find the HTTP header "X-XSS-Protection: 12" then 296 // we will stop loading the page as opposed to ignoring the script. The value "12" 297 // came from a personal communication, see <https://bugs.webkit.org/show_bug.cgi?id=27312> 298 // for more details. 293 XSSProtectionDisposition XSSAuditor::xssProtection() const 294 { 299 295 DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, ("X-XSS-Protection")); 300 296 … … 303 299 frame = m_frame->tree()->parent(); 304 300 305 // We strip any whitespace characters to conform to the behavior in Internet Explorer. 306 String xssProtectionValue = frame->loader()->documentLoader()->response().httpHeaderField(XSSProtectionHeader).stripWhiteSpace(); 307 return (xssProtectionValue.length() >= 2 && xssProtectionValue[0] == '1' && xssProtectionValue[1] == '2'); 301 return parseXSSProtectionHeader(frame->loader()->documentLoader()->response().httpHeaderField(XSSProtectionHeader)); 308 302 } 309 303 … … 319 313 blockFrame = m_frame; 320 314 } 321 if (result && blockFrame && shouldFullPageBlockForXSSProtectionHeader()) { 322 blockFrame->loader()->stopAllLoaders(); 323 blockFrame->redirectScheduler()->scheduleLocationChange(blankURL(), String()); 324 } 325 return result; 315 if (!result) 316 return false; 317 318 switch (xssProtection()) { 319 case XSSProtectionDisabled: 320 return false; 321 case XSSProtectionEnabled: 322 break; 323 case XSSProtectionBlockEnabled: 324 if (blockFrame) { 325 blockFrame->loader()->stopAllLoaders(); 326 blockFrame->redirectScheduler()->scheduleLocationChange(blankURL(), String()); 327 } 328 break; 329 default: 330 ASSERT_NOT_REACHED(); 331 } 332 return true; 326 333 } 327 334 -
trunk/WebCore/page/XSSAuditor.h
r55290 r56295 28 28 #define XSSAuditor_h 29 29 30 #include "HTTPParsers.h" 30 31 #include "PlatformString.h" 31 32 #include "TextEncoding.h" … … 145 146 bool findInRequest(Frame*, const FindTask&) const; 146 147 147 bool shouldFullPageBlockForXSSProtectionHeader() const;148 XSSProtectionDisposition xssProtection() const; 148 149 149 150 // The frame to audit. -
trunk/WebCore/platform/network/HTTPParsers.cpp
r50633 r56295 56 56 } 57 57 58 // Returns true if the function can match the whole token (case insensitive). 59 // Note: Might return pos == str.length() 60 static inline bool skipToken(const String& str, int& pos, const char* token) 61 { 62 int len = str.length(); 63 64 while (pos != len && *token) { 65 if (toASCIILower(str[pos]) != *token++) 66 return false; 67 ++pos; 68 } 69 70 return true; 71 } 72 58 73 bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url) 59 74 { … … 221 236 return String(); 222 237 } 223 } 238 239 XSSProtectionDisposition parseXSSProtectionHeader(const String& header) 240 { 241 String stippedHeader = header.stripWhiteSpace(); 242 243 if (stippedHeader.isEmpty()) 244 return XSSProtectionEnabled; 245 246 if (stippedHeader[0] == '0') 247 return XSSProtectionDisabled; 248 249 int length = (int)header.length(); 250 int pos = 0; 251 if (stippedHeader[pos++] == '1' 252 && skipWhiteSpace(stippedHeader, pos, false) 253 && stippedHeader[pos++] == ';' 254 && skipWhiteSpace(stippedHeader, pos, false) 255 && skipToken(stippedHeader, pos, "mode") 256 && skipWhiteSpace(stippedHeader, pos, false) 257 && stippedHeader[pos++] == '=' 258 && skipWhiteSpace(stippedHeader, pos, false) 259 && skipToken(stippedHeader, pos, "block") 260 && pos == length) 261 return XSSProtectionBlockEnabled; 262 263 return XSSProtectionEnabled; 264 } 265 266 } -
trunk/WebCore/platform/network/HTTPParsers.h
r44508 r56295 32 32 namespace WebCore { 33 33 34 34 class String; 35 35 36 bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url); 37 double parseDate(const String&); 38 String filenameFromHTTPContentDisposition(const String&); 39 String extractMIMETypeFromMediaType(const String&); 40 String extractCharsetFromMediaType(const String&); 36 enum XSSProtectionDisposition { 37 XSSProtectionDisabled, 38 XSSProtectionEnabled, 39 XSSProtectionBlockEnabled 40 }; 41 42 bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url); 43 double parseDate(const String&); 44 String filenameFromHTTPContentDisposition(const String&); 45 String extractMIMETypeFromMediaType(const String&); 46 String extractCharsetFromMediaType(const String&); 47 XSSProtectionDisposition parseXSSProtectionHeader(const String&); 48 41 49 } 42 50
Note: See TracChangeset
for help on using the changeset viewer.