32908 2009-12-23 11:15:47 -0800 "Refused to execute a JavaScript script" error when embedding SWF with a URL that is also a query parameter 2009-12-23 15:22:49 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Mac (Intel) OS X 10.6 RESOLVED FIXED http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html?param=http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.swf XSSAuditor P2 Normal --- 1 vinsonb webkit-unassigned abarth dbates webkit.review.bot oldest_to_newest 174617 0 45443 vinsonb 2009-12-23 11:15:47 -0800 Created attachment 45443 Simple file which embeds the Adobe Flash version checker SWF. It fails to embed if the URL to the SWF is included as a query param Attempting to embed a SWF using the "embed" tag when the "src" attribute is also present in the document's URL fails with the error: Refused to execute a JavaScript script. Source code of script found within request This is happening with the latest WebKit nightly, and also in the latest Chrome beta on both Mac+Windows. For example, the following URL correctly displays the Adobe's standard Flash version checker, which is located at http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.swf http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html However, if I add the absolute location of the SWF as the value of a query parameter, the error message is displayed in the console, and the SWF fails to embed: http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html?anything=http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.swf If I slightly change that query parameter so that the URL is no longer an exact match (by removing the "f" from "swf"), everything works fine once again: http://cdn4.kongregate.com/assets/files/0000/0811/chrome_test.html?param=http://kb2.adobe.com/cps/155/tn_15507/images/flashplayerversion1.sw Another example: http://www.youtube.com/watch?v=LkCNJRfSZBU - Movie loads properly http://www.youtube.com/watch?v=LkCNJRfSZBU&breaky=http://s.ytimg.com/yt/swf/watch_as3-vfl138567.swf - Movie fails to load This seems to be related to the XSSAuditor, but I have fairly limited knowledge of how that all works. Please excuse my ignorance if this behavior is intended. I noticed it because some of the functionality on our site was broken with Chrome 4, and have found a simple workaround for our purposes, but figured I should submit a report to you all just in case this is indeed unintended. 174655 1 abarth 2009-12-23 14:06:49 -0800 We've seen this bug a couple of time. I have a fix in mind. I'll try to work it up now. 174659 2 45451 abarth 2009-12-23 14:42:24 -0800 Created attachment 45451 Patch 174660 3 webkit.review.bot 2009-12-23 14:49:19 -0800 style-queue ran check-webkit-style on attachment 45451 without any errors. 174661 4 45451 eric 2009-12-23 14:59:55 -0800 Comment on attachment 45451 Patch Looks sane enough. We talked a bunch via IM and you convinced me that this was non-harmful. findInRequest(url, true, true) needs to use Enums. Could you file a bug about that? 174665 5 45451 abarth 2009-12-23 15:22:43 -0800 Comment on attachment 45451 Patch Clearing flags on attachment: 45451 Committed r52532: <http://trac.webkit.org/changeset/52532> 174666 6 abarth 2009-12-23 15:22:49 -0800 All reviewed patches have been landed. Closing bug. 45443 2009-12-23 11:15:47 -0800 2009-12-23 11:15:47 -0800 Simple file which embeds the Adobe Flash version checker SWF. It fails to embed if the URL to the SWF is included as a query param webkit_embed_test.html text/html 500 vinsonb PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgU3RyaWN0Ly9FTiIg Imh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXN0cmljdC5kdGQiPiAKPGh0 bWwgbGFuZz0iZW4iIHhtbDpsYW5nPSJlbiIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkv eGh0bWwiPiAKICA8aGVhZD4gCiAgICA8dGl0bGU+Q2hyb21lIFRlc3Q8L3RpdGxlPiAKICA8L2hl YWQ+IAogCiAgPGJvZHk+IAogICAgPGRpdiBpZD0iY29udGVudGRpdiIgc3R5bGU9InRvcDowcHg7 IGxlZnQ6MHB4OyB3aWR0aDo1MDBweDsgaGVpZ2h0OjUwMHB4OyBib3JkZXJzOm5vbmU7Ij4gCiAg ICAgIDxlbWJlZCBuYW1lPSd0ZXN0JyBzcmM9J2h0dHA6Ly9rYjIuYWRvYmUuY29tL2Nwcy8xNTUv dG5fMTU1MDcvaW1hZ2VzL2ZsYXNocGxheWVydmVyc2lvbjEuc3dmJyBhbGxvd3NjcmlwdGFjY2Vz cz0nYWx3YXlzJy8+IAogICAgPC9kaXY+IAogIDwvYm9keT4gCjwvaHRtbD4= 45451 2009-12-23 14:42:24 -0800 2009-12-23 15:22:43 -0800 Patch bug-32908-20091223144223.patch text/plain 2728 abarth ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA4MzhlM2FjLi4zMDQ1ZjY3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUgQEAKKzIwMDktMTIt MjMgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAiUmVmdXNlZCB0byBleGVjdXRlIGEgSmF2YVNj cmlwdCBzY3JpcHQiIGVycm9yIHdoZW4gZW1iZWRkaW5nIFNXRiB3aXRoCisgICAgICAgIGEgVVJM IHRoYXQgaXMgYWxzbyBhIHF1ZXJ5IHBhcmFtZXRlcgorICAgICAgICBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MzI5MDgKKworICAgICAgICBVcGRhdGUgZXhwZWN0ZWQg cmVzdWx0cyB0byBzaG93IHRoYXQgd2UgZG9uJ3QgcmFpc2UgYW4gYWxhcm0gaW4gdGhpcyBjYXNl LgorCisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL29iamVjdC1zcmMt aW5qZWN0LWV4cGVjdGVkLnR4dDoKKwogMjAwOS0xMi0yMyAgRGFuIEJlcm5zdGVpbiAgPG1pdHpA YXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFkbGVyLgpkaWZmIC0tZ2l0 IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL29iamVjdC1zcmMt aW5qZWN0LWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNz QXVkaXRvci9vYmplY3Qtc3JjLWluamVjdC1leHBlY3RlZC50eHQKaW5kZXggMGJlMjE1Ni4uOGIx Mzc4OSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRp dG9yL29iamVjdC1zcmMtaW5qZWN0LWV4cGVjdGVkLnR4dAorKysgYi9MYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivb2JqZWN0LXNyYy1pbmplY3QtZXhwZWN0ZWQudHh0 CkBAIC0xLDMgKzEgQEAKLUNPTlNPTEUgTUVTU0FHRTogbGluZSAxOiBSZWZ1c2VkIHRvIGxvYWQg YW4gb2JqZWN0LiBVUkwgZm91bmQgd2l0aGluIHJlcXVlc3Q6ICJodHRwOi8vMTI3LjAuMC4xOjgw MDAvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvZHVtbXkuc3dmIi4KLQogCmRpZmYgLS1n aXQgYS9XZWJDb3JlL0NoYW5nZUxvZyBiL1dlYkNvcmUvQ2hhbmdlTG9nCmluZGV4IDZmYzhmZmMu LjI5OTAzY2UgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1dlYkNvcmUvQ2hh bmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMDktMTItMjMgIEFkYW0gQmFydGggIDxhYmFydGhA d2Via2l0Lm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAg ICAgICAiUmVmdXNlZCB0byBleGVjdXRlIGEgSmF2YVNjcmlwdCBzY3JpcHQiIGVycm9yIHdoZW4g ZW1iZWRkaW5nIFNXRiB3aXRoCisgICAgICAgIGEgVVJMIHRoYXQgaXMgYWxzbyBhIHF1ZXJ5IHBh cmFtZXRlcgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MzI5MDgKKworICAgICAgICBEb24ndCBibG9jayBkaXJlY3QgaW5qZWN0aW9ucyBpbnRvIHRoZSBv YmplY3Qgc3JjIGF0dHJpYnV0ZSB1bmxlc3MKKyAgICAgICAgdGhlcmUncyBhbiBpbGxlZ2FsIGNo YXJhY3RlciAobGlrZSA8IG9yICIpIGluIHRoZSBVUkwuICBUaGlzIGNoYW5nZQorICAgICAgICBs ZXRzIHNvbWUgdmVyeSB1bnVzdWFsIHZ1bG5lcmFiaWxpdGllcyB0aHJvdWdoIHRoZSBmaWx0ZXIg YnV0IHJlbW92ZXMgYQorICAgICAgICBmYWxzZSBwb3NpdGl2ZSB0aGF0IHdlJ3ZlIHNlZW4gc2V2 ZXJhbCB0aW1lcy4KKworICAgICAgICAqIHBhZ2UvWFNTQXVkaXRvci5jcHA6CisgICAgICAgIChX ZWJDb3JlOjpYU1NBdWRpdG9yOjpjYW5Mb2FkT2JqZWN0KToKKwogMjAwOS0xMi0yMyAgRGFuIEJl cm5zdGVpbiAgPG1pdHpAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFk bGVyLgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9wYWdlL1hTU0F1ZGl0b3IuY3BwIGIvV2ViQ29yZS9w YWdlL1hTU0F1ZGl0b3IuY3BwCmluZGV4IDcyYzI1OTEuLjQ4NDUxNDUgMTAwNjQ0Ci0tLSBhL1dl YkNvcmUvcGFnZS9YU1NBdWRpdG9yLmNwcAorKysgYi9XZWJDb3JlL3BhZ2UvWFNTQXVkaXRvci5j cHAKQEAgLTE2Myw3ICsxNjMsNyBAQCBib29sIFhTU0F1ZGl0b3I6OmNhbkxvYWRPYmplY3QoY29u c3QgU3RyaW5nJiB1cmwpIGNvbnN0CiAgICAgaWYgKGlzU2FtZU9yaWdpblJlc291cmNlKHVybCkp CiAgICAgICAgIHJldHVybiB0cnVlOwogCi0gICAgaWYgKGZpbmRJblJlcXVlc3QodXJsKSkgewor ICAgIGlmIChmaW5kSW5SZXF1ZXN0KHVybCwgdHJ1ZSwgdHJ1ZSkpIHsKICAgICAgICAgU3RyaW5n IGNvbnNvbGVNZXNzYWdlID0gU3RyaW5nOjpmb3JtYXQoIlJlZnVzZWQgdG8gbG9hZCBhbiBvYmpl Y3QuIFVSTCBmb3VuZCB3aXRoaW4gcmVxdWVzdDogXCIlc1wiLlxuIiwgdXJsLnV0ZjgoKS5kYXRh KCkpOwogICAgICAgICBtX2ZyYW1lLT5kb21XaW5kb3coKS0+Y29uc29sZSgpLT5hZGRNZXNzYWdl KEpTTWVzc2FnZVNvdXJjZSwgTG9nTWVzc2FnZVR5cGUsIEVycm9yTWVzc2FnZUxldmVsLCBjb25z b2xlTWVzc2FnZSwgMSwgU3RyaW5nKCkpOwogICAgICAgICByZXR1cm4gZmFsc2U7Cg==