Google Git
Sign in
webkit / WebKit / 8268f157b3456bc9ad6a85a3fc8048196f7b103a
commit8268f157b3456bc9ad6a85a3fc8048196f7b103a[log] [tgz]
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Jul 13 05:36:15 2009 +0000
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Jul 13 05:36:15 2009 +0000
tree54d5c60ccbc524d43b99f35442c1970265c35c28
parent0b68bb9d099822031ab54dedaeef6ce345375d8e [diff]
2009-07-12  Adam Barth  <abarth@webkit.org>

        Reviewed by Oliver Hunt.

        Facebook Chat is broken due to XSS auditor
        https://bugs.webkit.org/show_bug.cgi?id=27179

        Instead of just using the script's URL as to detect an XSS attack, we
        now use a bit of context before the URL.  In particular, we use the
        bytes from the beginning of the attribute name to the end of the
        attribute value.  In virtually all injection attacks, the attacker
        would need to supply the attribute name as well as the attribute value.
        However, in the Facebook false positive, the attribute name is not
        present in the URL.

        Tests: http/tests/security/xssAuditor/script-tag-src-redirect-safe.html
               http/tests/security/xssAuditor/script-tag-with-source-double-quote.html
               http/tests/security/xssAuditor/script-tag-with-source-no-quote.html

        * html/HTMLTokenizer.cpp:
        (WebCore::HTMLTokenizer::parseTag):
        * html/HTMLTokenizer.h:
        * page/XSSAuditor.cpp:
        (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
        * page/XSSAuditor.h:

2009-07-12  Adam Barth  <abarth@webkit.org>

        Reviewed by Oliver Hunt.

        Facebook Chat is broken due to XSS auditor
        https://bugs.webkit.org/show_bug.cgi?id=27179

        Add some more test coverage to our handling of script tags with src
        attributes.  Also, ensure that we don't raise the alarm when a URL
        parameter is injected directly into the attribute value.

        * http/tests/security/xssAuditor/resources/echo-script-src.pl: Added.
        * http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt: Copied from LayoutTests/http/tests/security/xssAuditor/base-href-safe-expected.txt.
        * http/tests/security/xssAuditor/script-tag-src-redirect-safe.html: Added.
        * http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt: Copied from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt.
        * http/tests/security/xssAuditor/script-tag-with-source-double-quote.html: Added.
        * http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt: Copied from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt.
        * http/tests/security/xssAuditor/script-tag-with-source-no-quote.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@45787 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed
tree: 54d5c60ccbc524d43b99f35442c1970265c35c28
  1. autotools/
  2. BugsSite/
  3. JavaScriptCore/
  4. JavaScriptGlue/
  5. LayoutTests/
  6. PageLoadTests/
  7. PlanetWebKit/
  8. SunSpider/
  9. WebCore/
  10. WebKit/
  11. WebKitExamplePlugins/
  12. WebKitLibraries/
  13. WebKitSite/
  14. WebKitTools/
  15. autogen.sh
  16. ChangeLog
  17. configure.ac
  18. GNUmakefile.am
  19. Makefile
  20. Makefile.shared
  21. WebKit.pri
  22. WebKit.pro