Changeset 56295 in webkit

Timestamp:

Mar 19, 2010 8:55:13 PM (14 years ago)

Author:

eric@webkit.org

Message:

2010-03-19 Adam Barth <​abarth@webkit.org>

Reviewed by Daniel Bates.

Change XSSAuditor block syntax
​https://bugs.webkit.org/show_bug.cgi?id=34436

Update tests to account for the new blocking syntax. Added test for
disabling the XSS filter.

• http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt:
• http/tests/security/xssAuditor/malformed-xss-protection-header.html:
• http/tests/security/xssAuditor/no-protection-script-tag-expected.txt: Added.
• http/tests/security/xssAuditor/no-protection-script-tag.html: Added.
• http/tests/security/xssAuditor/resources/echo-head-base-href.pl:
• http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl:
• http/tests/security/xssAuditor/resources/echo-intertag.pl:
• http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt: Added.
• http/tests/security/xssAuditor/xss-protection-parsing-01.html: Added.

2010-03-19 Adam Barth <​abarth@webkit.org>

Reviewed by Daniel Bates.

Change XSSAuditor block syntax
​https://bugs.webkit.org/show_bug.cgi?id=34436

Update our blocking syntax to something more reasonable. Also,
implemented a way for a web site to disable the filter.

Tests: http/tests/security/xssAuditor/no-protection-script-tag.html

http/tests/security/xssAuditor/xss-protection-parsing-01.html

• page/XSSAuditor.cpp: (WebCore::XSSAuditor::xssProtection): (WebCore::XSSAuditor::findInRequest):
• page/XSSAuditor.h:
• platform/network/HTTPParsers.cpp: (WebCore::skipToken): (WebCore::parseXSSProtectionHeader):
• platform/network/HTTPParsers.h: (WebCore::):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/no-protection-script-tag-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/no-protection-script-tag.html (added)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01.html (copied) (copied from trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/page/XSSAuditor.cpp (modified) (3 diffs)
• WebCore/page/XSSAuditor.h (modified) (2 diffs)
• WebCore/platform/network/HTTPParsers.cpp (modified) (2 diffs)
• WebCore/platform/network/HTTPParsers.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-03-19  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Change XSSAuditor block syntax
+        https://bugs.webkit.org/show_bug.cgi?id=34436
+
+        Update tests to account for the new blocking syntax.  Added test for
+        disabling the XSS filter.
+
+        * http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt:
+        * http/tests/security/xssAuditor/malformed-xss-protection-header.html:
+        * http/tests/security/xssAuditor/no-protection-script-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/no-protection-script-tag.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-head-base-href.pl:
+        * http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl:
+        * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+        * http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt: Added.
+        * http/tests/security/xssAuditor/xss-protection-parsing-01.html: Added.
+
 2010-03-19  Zhenyao Mo  <zmo@google.com>
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header-expected.txt

@@ -8 +8 @@
 Frame: 'frame'
 --------
-
+If you see this message and no JavaScript alert() then the test PASSED.

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-xss-protection-header.html

@@ -14 +14 @@
 <body>
 <p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="https://bugs.webkit.org/show_bug.cgi?id=27312#c13">16 characters.</a></p>
-<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?notifyDone=1&custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
 </iframe>
 </body>

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href.pl

@@ -6 +6 @@
 
 if ($cgi->param('enable-full-block')) {
-    print "X-XSS-Protection: 12\n";
+    print "X-XSS-Protection: 1; mode=block\n";
 }
 print "Content-Type: text/html; charset=UTF-8\n\n";

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag-click-and-notify.pl

@@ -6 +6 @@
 
 if ($cgi->param('enable-full-block')) {
-    print "X-XSS-Protection: 12\n";
+    print "X-XSS-Protection: 1; mode=block\n";
 }
 print "Content-Type: text/html; charset=UTF-8\n\n";

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

@@ -6 +6 @@
 
 if ($cgi->param('enable-full-block')) {
-    print "X-XSS-Protection: 12\n";
+    print "X-XSS-Protection: 1; mode=block\n";
+}
+if ($cgi->param('disable-protection')) {
+    print "X-XSS-Protection: 0\n";
+}
+if ($cgi->param('crazy-header')) {
+    print "X-XSS-Protection:   1  ;MoDe =  bLocK   \n";
 }
 if ($cgi->param('custom-header')) {

trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
 
-This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds 16 characters.
+This tests our parsing of the X-XSS-Protection header.
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/xss-protection-parsing-01.html

@@ -13 +13 @@
 </head>
 <body>
-<p>This tests that the X-XSS-Protection header is not ignored when the length of its value exceeds <a href="https://bugs.webkit.org/show_bug.cgi?id=27312#c13">16 characters.</a></p>
-<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?custom-header=X-XSS-Protection: 12345678901234567&q=<script>alert(/XSS/)</script><p>If you see this message and no JavaScript alert() then the test PASSED.</p>">
+<p>This tests our parsing of the X-XSS-Protection header.</p>
+<iframe id="frame" onload="checkIfFrameLocationMatchesURLAndCallDone('frame', 'about:blank')" src="http://127.0.0.1:8000/security/xssAuditor/resources/echo-intertag.pl?crazy-header=1&q=<script>alert(/XSS/)</script><p>If you see this message then the test FAILED.</p>">
 </iframe>
 </body>

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-03-19  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Daniel Bates.
+
+        Change XSSAuditor block syntax
+        https://bugs.webkit.org/show_bug.cgi?id=34436
+
+        Update our blocking syntax to something more reasonable.  Also,
+        implemented a way for a web site to disable the filter.
+
+        Tests: http/tests/security/xssAuditor/no-protection-script-tag.html
+               http/tests/security/xssAuditor/xss-protection-parsing-01.html
+
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::xssProtection):
+        (WebCore::XSSAuditor::findInRequest):
+        * page/XSSAuditor.h:
+        * platform/network/HTTPParsers.cpp:
+        (WebCore::skipToken):
+        (WebCore::parseXSSProtectionHeader):
+        * platform/network/HTTPParsers.h:
+        (WebCore::):
+
 2010-03-19  Eric Uhrhane  <ericu@chromium.org>
 

trunk/WebCore/page/XSSAuditor.cpp

@@ -291 +291 @@
 }
 
-bool XSSAuditor::shouldFullPageBlockForXSSProtectionHeader() const
-{
-    // If we detect an XSS attack and find the HTTP header "X-XSS-Protection: 12" then
-    // we will stop loading the page as opposed to ignoring the script. The value "12"
-    // came from a personal communication, see <https://bugs.webkit.org/show_bug.cgi?id=27312>
-    // for more details.
+XSSProtectionDisposition XSSAuditor::xssProtection() const
+{
     DEFINE_STATIC_LOCAL(String, XSSProtectionHeader, ("X-XSS-Protection"));
 
@@ -303 +299 @@
         frame = m_frame->tree()->parent();
 
-    // We strip any whitespace characters to conform to the behavior in Internet Explorer.
-    String xssProtectionValue = frame->loader()->documentLoader()->response().httpHeaderField(XSSProtectionHeader).stripWhiteSpace();
-    return (xssProtectionValue.length() >= 2 && xssProtectionValue[0] == '1' && xssProtectionValue[1] == '2');
+    return parseXSSProtectionHeader(frame->loader()->documentLoader()->response().httpHeaderField(XSSProtectionHeader));
 }
 
@@ -319 +313 @@
         blockFrame = m_frame;
     }
-    if (result && blockFrame && shouldFullPageBlockForXSSProtectionHeader()) {
-        blockFrame->loader()->stopAllLoaders();
-        blockFrame->redirectScheduler()->scheduleLocationChange(blankURL(), String());
-    }
-    return result;
+    if (!result)
+        return false;
+
+    switch (xssProtection()) {
+    case XSSProtectionDisabled:
+        return false;
+    case XSSProtectionEnabled:
+        break;
+    case XSSProtectionBlockEnabled:
+        if (blockFrame) {
+            blockFrame->loader()->stopAllLoaders();
+            blockFrame->redirectScheduler()->scheduleLocationChange(blankURL(), String());
+        }
+        break;
+    default:
+        ASSERT_NOT_REACHED();
+    }
+    return true;
 }
 

trunk/WebCore/page/XSSAuditor.h

@@ -28 +28 @@
 #define XSSAuditor_h
 
+#include "HTTPParsers.h"
 #include "PlatformString.h"
 #include "TextEncoding.h"
@@ -145 +146 @@
         bool findInRequest(Frame*, const FindTask&) const;
 
-        bool shouldFullPageBlockForXSSProtectionHeader() const;
+        XSSProtectionDisposition xssProtection() const;
 
         // The frame to audit.

trunk/WebCore/platform/network/HTTPParsers.cpp

@@ -56 +56 @@
 }
 
+// Returns true if the function can match the whole token (case insensitive).
+// Note: Might return pos == str.length()
+static inline bool skipToken(const String& str, int& pos, const char* token)
+{
+    int len = str.length();
+
+    while (pos != len && *token) {
+        if (toASCIILower(str[pos]) != *token++)
+            return false;
+        ++pos;
+    }
+
+    return true;
+}
+
 bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url)
 {
@@ -221 +236 @@
     return String();
 }
-}
+
+XSSProtectionDisposition parseXSSProtectionHeader(const String& header)
+{
+    String stippedHeader = header.stripWhiteSpace();
+
+    if (stippedHeader.isEmpty())
+        return XSSProtectionEnabled;
+
+    if (stippedHeader[0] == '0')
+        return XSSProtectionDisabled;
+
+    int length = (int)header.length();
+    int pos = 0;
+    if (stippedHeader[pos++] == '1'
+        && skipWhiteSpace(stippedHeader, pos, false)
+        && stippedHeader[pos++] == ';'
+        && skipWhiteSpace(stippedHeader, pos, false)
+        && skipToken(stippedHeader, pos, "mode")
+        && skipWhiteSpace(stippedHeader, pos, false)
+        && stippedHeader[pos++] == '='
+        && skipWhiteSpace(stippedHeader, pos, false)
+        && skipToken(stippedHeader, pos, "block")
+        && pos == length)
+        return XSSProtectionBlockEnabled;
+
+    return XSSProtectionEnabled;
+}
+
+}

trunk/WebCore/platform/network/HTTPParsers.h

@@ -32 +32 @@
 namespace WebCore {
 
-    class String;
+class String;
 
-    bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url);
-    double parseDate(const String&);
-    String filenameFromHTTPContentDisposition(const String&); 
-    String extractMIMETypeFromMediaType(const String&);
-    String extractCharsetFromMediaType(const String&); 
+enum XSSProtectionDisposition {
+    XSSProtectionDisabled,
+    XSSProtectionEnabled,
+    XSSProtectionBlockEnabled
+};
+
+bool parseHTTPRefresh(const String& refresh, bool fromHttpEquivMeta, double& delay, String& url);
+double parseDate(const String&);
+String filenameFromHTTPContentDisposition(const String&); 
+String extractMIMETypeFromMediaType(const String&);
+String extractCharsetFromMediaType(const String&); 
+XSSProtectionDisposition parseXSSProtectionHeader(const String&);
+
 }