27189 2009-07-11 22:26:41 -0700 r45752+ nightly: @import css generates wrong path 2009-07-12 14:47:14 -0700 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED http://forum.dvdtalk.com/forum-feedback-support-4/ Regression, XSSAuditor P2 Major --- 0 kevin webkit-unassigned abarth dbates john mjs simon oldest_to_newest 131163 0 kevin 2009-07-11 22:26:41 -0700 The forum's on the site load a css from: @import url("clientscript/vbulletin_css/style-bbed93be-00019.css"); r45752+ generates a file not found and the css doesn't render when it tries to load the path: http://forum.dvdtalk.com/forum-feedback-support-4/clientscript/vbulletin_css/style-bbed93be-00019.css r45702 and earlier does render correctly and looks for the path: http://forum.dvdtalk.com/clientscript/vbulletin_css/style-bbed93be-00019.css 131181 1 mrowe 2009-07-12 10:52:34 -0700 Sounds like it could be another XSS auditor issue: > Refused to execute a JavaScript script. Source code of script found within request It'd be great if these errors mentioned the URL that they relate to. 131186 2 dbates 2009-07-12 11:46:45 -0700 This issue is triggered because of the HTML Base element: <base href="http://forum.dvdtalk.com/" /> XSSAuditor thinks this is an attack because the URL of the Base element appears in the URL of the page (say http://forum.dvdtalk.com/dvd-talk-3/). A check in XSSAuditor::canSetBaseElementURL (line: m_frame->document()->url().baseAsString() != baseElementURL.baseAsString()) is insufficient. Working on patch. (In reply to comment #0) > The forum's on the site load a css from: > > @import url("clientscript/vbulletin_css/style-bbed93be-00019.css"); > > r45752+ generates a file not found and the css doesn't render when it tries to > load the path: > > http://forum.dvdtalk.com/forum-feedback-support-4/clientscript/vbulletin_css/style-bbed93be-00019.css > > r45702 and earlier does render correctly and looks for the path: > > http://forum.dvdtalk.com/clientscript/vbulletin_css/style-bbed93be-00019.css 131190 3 32631 dbates 2009-07-12 12:36:10 -0700 Created attachment 32631 Patch with test 131194 4 dbates 2009-07-12 13:13:48 -0700 *** Bug 27185 has been marked as a duplicate of this bug. *** 131204 5 dbates 2009-07-12 14:45:30 -0700 *** Bug 27194 has been marked as a duplicate of this bug. *** 131205 6 abarth 2009-07-12 14:46:54 -0700 Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/base-href-safe3.html Adding LayoutTests/http/tests/security/xssAuditor/resources/base-href/base-href-safe3.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Transmitting file data ...... Committed revision 45763. http://trac.webkit.org/changeset/45763 32631 2009-07-12 12:36:10 -0700 2009-07-12 13:21:01 -0700 Patch with test Bug27189_1.patch text/plain 4301 dbates SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NTc2MSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjAgQEAKKzIwMDktMDctMTIgIERhbmllbCBCYXRlcyAgPGRiYXRlc0BpbnR1ZGF0 YS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI3MTg5CisgICAgICAgIAor ICAgICAgICBGaXhlcyBpbnN1ZmZpY2llbnQgY2hlY2sgaW4gWFNTQXVkaXRvcjo6Y2FuU2V0QmFz ZUVsZW1lbnRVUkwgdGhhdCBjYXVzZWQgCisgICAgICAgIFhTU0F1ZGl0b3IgdG8gaW5jb3JyZWN0 bHkgYmxvY2sgSFRNTCBCYXNlIGVsZW1lbnRzIHdob3NlIGJhc2UgcGF0aCBjb2luY2lkZWQgCisg ICAgICAgIHdpdGggdGhlIFVSTCBvZiB0aGUgcGFnZS4KKworICAgICAgICBUZXN0OiBodHRwL3Rl c3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvYmFzZS1ocmVmLXNhZmUzLmh0bWwKKworICAgICAgICAq IHBhZ2UvWFNTQXVkaXRvci5jcHA6CisgICAgICAgIChXZWJDb3JlOjpYU1NBdWRpdG9yOjpjYW5T ZXRCYXNlRWxlbWVudFVSTCk6IENoYW5nZWQgY29uZGl0aW9uYWwgdG8gb25seSBjYWxsIAorICAg ICAgICBYU1NBdWRpdG9yOjpmaW5kSW5SZXF1ZXN0KCkgaWYgdGhlIGhvc3QgaW4gdGhlIHBhZ2Ug VVJMIGRpc2FncmVlcyB3aXRoIHRoZSBob3N0IAorICAgICAgICBpbiB0aGUgYmFzZSBlbGVtZW50 IFVSTC4KKwogMjAwOS0wNy0xMiAgWGFuIExvcGV6ICA8eGxvcGV6QGlnYWxpYS5jb20+CiAKICAg ICAgICAgUmV2aWV3ZWQgYnkgR3VzdGF2byBOb3JvbmhhLgpJbmRleDogV2ViQ29yZS9wYWdlL1hT U0F1ZGl0b3IuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmNwcAko cmV2aXNpb24gNDU3NTcpCisrKyBXZWJDb3JlL3BhZ2UvWFNTQXVkaXRvci5jcHAJKHdvcmtpbmcg Y29weSkKQEAgLTEzNyw3ICsxMzcsNyBAQCBib29sIFhTU0F1ZGl0b3I6OmNhblNldEJhc2VFbGVt ZW50VVJMKGNvCiAgICAgICAgIHJldHVybiB0cnVlOwogICAgIAogICAgIEtVUkwgYmFzZUVsZW1l bnRVUkwobV9mcmFtZS0+ZG9jdW1lbnQoKS0+dXJsKCksIHVybCk7Ci0gICAgaWYgKG1fZnJhbWUt PmRvY3VtZW50KCktPnVybCgpLmJhc2VBc1N0cmluZygpICE9IGJhc2VFbGVtZW50VVJMLmJhc2VB c1N0cmluZygpICYmIGZpbmRJblJlcXVlc3QodXJsKSkgeworICAgIGlmIChtX2ZyYW1lLT5kb2N1 bWVudCgpLT51cmwoKS5ob3N0KCkgIT0gYmFzZUVsZW1lbnRVUkwuaG9zdCgpICYmIGZpbmRJblJl cXVlc3QodXJsKSkgewogICAgICAgICBERUZJTkVfU1RBVElDX0xPQ0FMKFN0cmluZywgY29uc29s ZU1lc3NhZ2UsICgiUmVmdXNlZCB0byBleGVjdXRlIGEgSmF2YVNjcmlwdCBzY3JpcHQuIFNvdXJj ZSBjb2RlIG9mIHNjcmlwdCBmb3VuZCB3aXRoaW4gcmVxdWVzdCIpKTsKICAgICAgICAgbV9mcmFt ZS0+ZG9tV2luZG93KCktPmNvbnNvbGUoKS0+YWRkTWVzc2FnZShKU01lc3NhZ2VTb3VyY2UsIEVy cm9yTWVzc2FnZUxldmVsLCBjb25zb2xlTWVzc2FnZSwgMSwgU3RyaW5nKCkpOwogICAgICAgICBy ZXR1cm4gZmFsc2U7CkluZGV4OiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g TGF5b3V0VGVzdHMvQ2hhbmdlTG9nCShyZXZpc2lvbiA0NTc2MSkKKysrIExheW91dFRlc3RzL0No YW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDA5LTA3LTEyICBEYW5p ZWwgQmF0ZXMgIDxkYmF0ZXNAaW50dWRhdGEuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5P Qk9EWSAoT09QUyEpLgorCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0yNzE4OQorICAgICAgICAKKyAgICAgICAgVGVzdHMgdGhhdCBYU1NBdWRpdG9yIGRv ZXMgbm90IGJsb2NrIEhUTUwgQmFzZSBlbGVtZW50cyB3aG9zZSBwYXRoIGhhcyB0aGUgCisgICAg ICAgIHNhbWUgaG9zdCBhcyB0aGUgcGFnZS4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJp dHkveHNzQXVkaXRvci9iYXNlLWhyZWYtc2FmZTMtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAg ICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvYmFzZS1ocmVmLXNhZmUzLmh0bWw6 IEFkZGVkLgorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJj ZXMvYmFzZS1ocmVmL2Jhc2UtaHJlZi1zYWZlMy5odG1sOiBBZGRlZC4KKwogMjAwOS0wNy0xMSAg T2xpdmVyIEh1bnQgIDxvbGl2ZXJAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IFNp bW9uIEZyYXNlci4KSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVk aXRvci9iYXNlLWhyZWYtc2FmZTMtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRl c3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9iYXNlLWhyZWYtc2FmZTMtZXhwZWN0 ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94 c3NBdWRpdG9yL2Jhc2UtaHJlZi1zYWZlMy1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0w LDAgKzEsMiBAQAorQUxFUlQ6IFRoaXMgaXMgYSBzYWZlIHNjcmlwdC4KKwpJbmRleDogTGF5b3V0 VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2Jhc2UtaHJlZi1zYWZlMy5odG1s Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRv ci9iYXNlLWhyZWYtc2FmZTMuaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0dHAv dGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9iYXNlLWhyZWYtc2FmZTMuaHRtbAkocmV2aXNpb24g MCkKQEAgLTAsMCArMSwxNSBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHNj cmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgbGF5b3V0VGVzdENv bnRyb2xsZXIuZHVtcEFzVGV4dCgpOworICBsYXlvdXRUZXN0Q29udHJvbGxlci5zZXRYU1NBdWRp dG9yRW5hYmxlZCh0cnVlKTsKK30KKzwvc2NyaXB0PgorPC9oZWFkPgorPGJvZHk+Cis8aWZyYW1l IHNyYz0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVzb3VyY2Vz L2Jhc2UtaHJlZi9iYXNlLWhyZWYtc2FmZTMuaHRtbCI+Cis8L2lmcmFtZT4KKzwvYm9keT4KKzwv aHRtbD4KSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9y ZXNvdXJjZXMvYmFzZS1ocmVmL2Jhc2UtaHJlZi1zYWZlMy5odG1sCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExh eW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvYmFzZS1o cmVmL2Jhc2UtaHJlZi1zYWZlMy5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3Jlc291cmNlcy9iYXNlLWhyZWYvYmFzZS1ocmVm LXNhZmUzLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTUgQEAKKzwhRE9DVFlQRSBodG1s PgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAod2luZG93LmxheW91dFRlc3RDb250cm9s bGVyKSB7CisgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKyAgbGF5b3V0VGVz dENvbnRyb2xsZXIuc2V0WFNTQXVkaXRvckVuYWJsZWQodHJ1ZSk7Cit9Cis8L3NjcmlwdD4KKzxi YXNlIGhyZWY9J2h0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9zZWN1cml0eS94c3NBdWRpdG9yL3Jlc291 cmNlcy8nPgorPC9oZWFkPgorPGJvZHk+Cis8c2NyaXB0IHNyYz0ic2FmZS1zY3JpcHQuanMiPjwv c2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgo=