100423 2012-10-25 15:08:17 -0700 Test full-block-iframe-no-inherit.php generates an invalid X-XSS-PROTECTION header. 2012-10-25 20:10:08 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Trivial --- 1 tsepez tsepez abarth dbates webkit.review.bot oldest_to_newest 751256 0 tsepez 2012-10-25 15:08:17 -0700 I just noticed a typo in the test file full-block-iframe-no-inherit.php: <?php header("X-XSS-Protection: full-block"); ?> But since there is no full-block directive, what is meant is <?php header("X-XSS-Protection: 1; mode=block"); ?> 751281 1 170746 tsepez 2012-10-25 15:33:28 -0700 Created attachment 170746 Patch Heh. 751285 2 170746 abarth 2012-10-25 15:35:15 -0700 Comment on attachment 170746 Patch Why didn't this test fail without this change? Should we add a new test that covers the invalid header case? 751299 3 tsepez 2012-10-25 15:48:26 -0700 (In reply to comment #2) > (From update of attachment 170746 [details]) > Why didn't this test fail without this change? I think the test looked only for non-application to the iframe, not application to the parent frame. > Should we add a new test that covers the invalid header case? Uh, yes. Want me to fold those into this patch? 751317 4 abarth 2012-10-25 16:05:45 -0700 > Want me to fold those into this patch? Up to you. I'd probably do it in one patch, but it's not super important. 751474 5 170746 webkit.review.bot 2012-10-25 20:10:05 -0700 Comment on attachment 170746 Patch Clearing flags on attachment: 170746 Committed r132563: <http://trac.webkit.org/changeset/132563> 751475 6 webkit.review.bot 2012-10-25 20:10:08 -0700 All reviewed patches have been landed. Closing bug. 170746 2012-10-25 15:33:28 -0700 2012-10-25 20:10:05 -0700 Patch patch_100423.txt text/plain 1219 tsepez SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDEzMjUzOSkKKysrIExheW91dFRlc3RzL0NoYW5nZUxvZwkod29y a2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBACisyMDEyLTEwLTI1ICBUb20gU2VwZXogIDx0c2Vw ZXpAY2hyb21pdW0ub3JnPgorCisgICAgICAgIFRlc3QgZnVsbC1ibG9jay1pZnJhbWUtbm8taW5o ZXJpdC5waHAgZ2VuZXJhdGVzIGFuIGludmFsaWQgWC1YU1MtUFJPVEVDVElPTiBoZWFkZXIuCisg ICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMDA0MjMKKwor ICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBDaGFuZ2VkIGhl YWRlciBzeW50YXggZnJvbSBmdWxsLWJsb2NrIHRvIG1vZGU9YmxvY2suCisKKyAgICAgICAgKiBo dHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvZnVsbC1ibG9jay1pZnJhbWUtbm8taW5oZXJp dC5waHA6CisKIDIwMTItMTAtMjUgIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZyYXNlckBhcHBsZS5j b20+CiAKICAgICAgICAgUmVwb3J0IHRoZSB0aWxlIGNvdmVyYWdlIHJlY3QgaW4gbGF5ZXIgY29v cmRzLCBhbmQgYWRkIHNvbWUgdGVzdHMgZm9yIHRpbGVkIGJhY2tpbmcgYW5kIHpvb21pbmcKSW5k ZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9mdWxsLWJsb2Nr LWlmcmFtZS1uby1pbmhlcml0LnBocAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rl c3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvZnVsbC1ibG9jay1pZnJhbWUtbm8taW5oZXJpdC5waHAJ KHJldmlzaW9uIDEzMjUzOSkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNz QXVkaXRvci9mdWxsLWJsb2NrLWlmcmFtZS1uby1pbmhlcml0LnBocAkod29ya2luZyBjb3B5KQpA QCAtMSw1ICsxLDUgQEAKIDw/cGhwCi1oZWFkZXIoIlgtWFNTLVByb3RlY3Rpb246IGZ1bGwtYmxv Y2siKTsKK2hlYWRlcigiWC1YU1MtUHJvdGVjdGlvbjogMTsgbW9kZT1ibG9jayIpOwogPz4KIDwh RE9DVFlQRSBodG1sPgogPGh0bWw+Cg==