26784 2009-06-28 12:35:02 -0700 Enable XSSAuditor by default 2009-07-10 18:22:42 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 26807 1 abarth webkit-unassigned abarth dbates sam oldest_to_newest 128746 0 abarth 2009-06-28 12:35:02 -0700 We should try enabling the XSSAuditor by default in the nightly to get a sense for the false positive rate. Sam said we should do this once we have decent test coverage, and we now have 29 tests. Please CC me and Dan on any regressions / false positives we find. If we get a bunch of them, we can turn off the auditor again while we think about how to reduce them. We still have one known false negative (HTML entities), but we can work on fixing that in parallel. Also, we should support the "turn off XSS filtering" header that IE8 supports, but I'll file a separate bug about that. 128747 1 31993 abarth 2009-06-28 12:35:51 -0700 Created attachment 31993 patch 128769 2 dbates 2009-06-28 19:30:46 -0700 Another known false negative is HTTP header injection. (In reply to comment #0) > We should try enabling the XSSAuditor by default in the nightly to get a sense > for the false positive rate. Sam said we should do this once we have decent > test coverage, and we now have 29 tests. > > Please CC me and Dan on any regressions / false positives we find. If we get a > bunch of them, we can turn off the auditor again while we think about how to > reduce them. > > We still have one known false negative (HTML entities), but we can work on > fixing that in parallel. Also, we should support the "turn off XSS filtering" > header that IE8 supports, but I'll file a separate bug about that. > 128779 3 abarth 2009-06-28 23:05:08 -0700 (In reply to comment #2) > Another known false negative is HTTP header injection. True. I suppose we could try to stop that too. I was thinking of that as more of a non-goal for the first version. 128783 4 eric 2009-06-29 00:04:25 -0700 I would think it would be annoying that this would break plexode.com and hixie's live dom viewer in the nightlies. Not a deal breaker. But definitely important that we give sites a way to work around this. 128784 5 eric 2009-06-29 00:05:57 -0700 FYI, neither plexode.com or Hixie's dom viewer send the IE8 header at this time: % curl -I http://www.plexode.com/cgi-bin/main.py HTTP/1.1 200 OK Date: Mon, 29 Jun 2009 07:03:40 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Content-Type: text/html % curl -I http://software.hixie.ch/utilities/js/live-dom-viewer/ HTTP/1.1 200 OK Date: Mon, 29 Jun 2009 07:04:41 GMT Server: Apache/2.0.63 (Unix) PHP/5.2.6 mod_ssl/2.0.63 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2 Accept-Ranges: bytes Vary: Accept-Encoding X-Pingback: http://tracking.damowmow.com/ Content-Language: en-GB-x-Hixie Content-Length: 13791 Content-Type: text/html; charset=utf-8 128785 6 eric 2009-06-29 00:08:49 -0700 I emailed Aaron Whyte (plexode) and Hixie to notify them of this pending change. BTW, I'm totally in favor of this change. Although I would prefer we added HTTP Header opt-in support before.... or at least really really soon after making this change. 128789 7 ian 2009-06-29 01:25:17 -0700 I'm not adding anything that's explicitly asking the browsers to follow the specs. 128822 8 abarth 2009-06-29 09:16:17 -0700 Eric, do you have examples of where plexode.com and hixie's live dom viewer do the wrong thing with the auditor turned on? I played with them for a few minutes and they seemed to work fine. (You can test the auditor by enabling the pref in the above patch or by grabbing a trunk build of Chromium and passing the --enable-xss-auditor command line flag.) 128846 9 abarth 2009-06-29 11:23:58 -0700 We need to fix Bug 26807 first. 129012 10 31993 eric 2009-06-30 02:58:13 -0700 Comment on attachment 31993 patch No need for this to be in the review queue while blocked by a crasher. Removing r=? for now. 129909 11 31993 abarth 2009-07-06 01:33:27 -0700 Comment on attachment 31993 patch Marking for review again now that this is actionable again. 130611 12 31993 sam 2009-07-08 21:42:42 -0700 Comment on attachment 31993 patch By the power of Grayskull! r=me 130615 13 31993 abarth 2009-07-08 21:58:26 -0700 Comment on attachment 31993 patch Clearing the review flag. We're going to hold off landing this for a few days. 131039 14 abarth 2009-07-10 18:22:42 -0700 Sending WebKit/mac/ChangeLog Sending WebKit/mac/WebView/WebPreferences.mm Sending WebKit/win/ChangeLog Sending WebKit/win/WebPreferences.cpp Transmitting file data .... Committed revision 45740. 31993 2009-06-28 12:35:51 -0700 2009-07-08 21:58:26 -0700 patch bugzilla_requires_a_filename.patch text/plain 2906 abarth SW5kZXg6IFdlYktpdC9tYWMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYktpdC9tYWMvQ2hh bmdlTG9nCShyZXZpc2lvbiA0NTMzMCkKKysrIFdlYktpdC9tYWMvQ2hhbmdlTG9nCSh3b3JraW5n IGNvcHkpCkBAIC0xLDMgKzEsMTIgQEAKKzIwMDktMDYtMjggIEFkYW0gQmFydGggIDxhYmFydGhA d2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAg ICAgICBFbmFibGUgWFNTQXVkaXRvciBieSBkZWZhdWx0LgorCisgICAgICAgICogV2ViVmlldy9X ZWJQcmVmZXJlbmNlcy5tbToKKyAgICAgICAgKCtbV2ViUHJlZmVyZW5jZXMgaW5pdGlhbGl6ZV0p OgorCiAyMDA5LTA2LTI2ICBDaHJpcyBNYXJyaW4gIDxjbWFycmluQGFwcGxlLmNvbT4KIAogICAg ICAgICBSZXZpZXdlZCBieSBTaW1vbiBGcmFzZXIgIDxzaW1vbi5mcmFzZXJAYXBwbGUuY29tPi4K SW5kZXg6IFdlYktpdC9tYWMvV2ViVmlldy9XZWJQcmVmZXJlbmNlcy5tbQo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBXZWJLaXQvbWFjL1dlYlZpZXcvV2ViUHJlZmVyZW5jZXMubW0JKHJldmlzaW9uIDQ1MzMwKQor KysgV2ViS2l0L21hYy9XZWJWaWV3L1dlYlByZWZlcmVuY2VzLm1tCSh3b3JraW5nIGNvcHkpCkBA IC0zNDcsNyArMzQ3LDcgQEAgc3RhdGljIFdlYkNhY2hlTW9kZWwgY2FjaGVNb2RlbEZvck1haW5C dQogICAgICAgICBbTlNOdW1iZXIgbnVtYmVyV2l0aEJvb2w6Tk9dLCAgIFdlYktpdFdlYkFyY2hp dmVEZWJ1Z01vZGVFbmFibGVkUHJlZmVyZW5jZUtleSwKICAgICAgICAgW05TTnVtYmVyIG51bWJl cldpdGhCb29sOk5PXSwgICBXZWJLaXRPZmZsaW5lV2ViQXBwbGljYXRpb25DYWNoZUVuYWJsZWRQ cmVmZXJlbmNlS2V5LAogICAgICAgICBbTlNOdW1iZXIgbnVtYmVyV2l0aEJvb2w6WUVTXSwgIFdl YktpdFpvb21zVGV4dE9ubHlQcmVmZXJlbmNlS2V5LAotICAgICAgICBbTlNOdW1iZXIgbnVtYmVy V2l0aEJvb2w6Tk9dLCAgIFdlYktpdFhTU0F1ZGl0b3JFbmFibGVkUHJlZmVyZW5jZUtleSwKKyAg ICAgICAgW05TTnVtYmVyIG51bWJlcldpdGhCb29sOllFU10sICBXZWJLaXRYU1NBdWRpdG9yRW5h YmxlZFByZWZlcmVuY2VLZXksCiAgICAgICAgIFtOU051bWJlciBudW1iZXJXaXRoQm9vbDpZRVNd LCAgV2ViS2l0QWNjZWxlcmF0ZWRDb21wb3NpdGluZ0VuYWJsZWRQcmVmZXJlbmNlS2V5LAogICAg ICAgICBuaWxdOwogCkluZGV4OiBXZWJLaXQvd2luL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBX ZWJLaXQvd2luL0NoYW5nZUxvZwkocmV2aXNpb24gNDUzMzApCisrKyBXZWJLaXQvd2luL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDEyIEBACisyMDA5LTA2LTI4ICBBZGFtIEJh cnRoICA8YWJhcnRoQHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCisKKyAgICAgICAgRW5hYmxlIFhTU0F1ZGl0b3IgYnkgZGVmYXVsdC4KKworICAgICAg ICAqIFdlYlByZWZlcmVuY2VzLmNwcDoKKyAgICAgICAgKFdlYlByZWZlcmVuY2VzOjppbml0aWFs aXplRGVmYXVsdFNldHRpbmdzKToKKwogMjAwOS0wNi0yNiAgQnJpYW4gV2VpbnN0ZWluICA8Yndl aW5zdGVpbkBhcHBsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgU2ltb24gRnJhc2VyLgpJ bmRleDogV2ViS2l0L3dpbi9XZWJQcmVmZXJlbmNlcy5jcHAKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViS2l0 L3dpbi9XZWJQcmVmZXJlbmNlcy5jcHAJKHJldmlzaW9uIDQ1MzMwKQorKysgV2ViS2l0L3dpbi9X ZWJQcmVmZXJlbmNlcy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTIwNSw3ICsyMDUsNyBAQCB2b2lk IFdlYlByZWZlcmVuY2VzOjppbml0aWFsaXplRGVmYXVsdFNlCiAgICAgQ0ZEaWN0aW9uYXJ5QWRk VmFsdWUoZGVmYXVsdHMsIENGU1RSKFdlYktpdEphdmFTY3JpcHRFbmFibGVkUHJlZmVyZW5jZUtl eSksIGtDRkJvb2xlYW5UcnVlKTsKICAgICBDRkRpY3Rpb25hcnlBZGRWYWx1ZShkZWZhdWx0cywg Q0ZTVFIoV2ViS2l0V2ViU2VjdXJpdHlFbmFibGVkUHJlZmVyZW5jZUtleSksIGtDRkJvb2xlYW5U cnVlKTsKICAgICBDRkRpY3Rpb25hcnlBZGRWYWx1ZShkZWZhdWx0cywgQ0ZTVFIoV2ViS2l0QWxs b3dVbml2ZXJzYWxBY2Nlc3NGcm9tRmlsZVVSTHNQcmVmZXJlbmNlS2V5KSwga0NGQm9vbGVhblRy dWUpOwotICAgIENGRGljdGlvbmFyeUFkZFZhbHVlKGRlZmF1bHRzLCBDRlNUUihXZWJLaXRYU1NB dWRpdG9yRW5hYmxlZFByZWZlcmVuY2VLZXkpLCBrQ0ZCb29sZWFuRmFsc2UpOworICAgIENGRGlj dGlvbmFyeUFkZFZhbHVlKGRlZmF1bHRzLCBDRlNUUihXZWJLaXRYU1NBdWRpdG9yRW5hYmxlZFBy ZWZlcmVuY2VLZXkpLCBrQ0ZCb29sZWFuVHJ1ZSk7CiAgICAgQ0ZEaWN0aW9uYXJ5QWRkVmFsdWUo ZGVmYXVsdHMsIENGU1RSKFdlYktpdEphdmFTY3JpcHRDYW5PcGVuV2luZG93c0F1dG9tYXRpY2Fs bHlQcmVmZXJlbmNlS2V5KSwga0NGQm9vbGVhblRydWUpOwogICAgIENGRGljdGlvbmFyeUFkZFZh bHVlKGRlZmF1bHRzLCBDRlNUUihXZWJLaXRQbHVnaW5zRW5hYmxlZFByZWZlcmVuY2VLZXkpLCBr Q0ZCb29sZWFuVHJ1ZSk7CiAgICAgQ0ZEaWN0aW9uYXJ5QWRkVmFsdWUoZGVmYXVsdHMsIENGU1RS KFdlYktpdERhdGFiYXNlc0VuYWJsZWRQcmVmZXJlbmNlS2V5KSwga0NGQm9vbGVhblRydWUpOwo=