38364 2010-04-29 17:57:00 -0700 MIME typo in LayoutTests/http/tests/security/xss-DENIED-mime-type-execute-as-html.html 2010-05-02 14:40:00 -0700 1 1 1 Unclassified WebKit Tools / Tests 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 37358 1 ddkilzer webkit-unassigned abarth inferno oldest_to_newest 219307 0 ddkilzer 2010-04-29 17:57:00 -0700 I believe there is a typo in LayoutTests/http/tests/security/xss-DENIED-mime-type-execute-as-html.html where "application-javascript" is used instead of "application/javascript". Without a "/" in the MIME type, the content returned can be sniffed per <http://tools.ietf.org/html/draft-abarth-mime-sniff-04>, and because it starts out with a <script> tag, is likely to be sniffed as "text/html". Was the use of "application-javascript" intentional or just a typo? See Bug 37358 for the original fix and test case. 219310 1 54765 ddkilzer 2010-04-29 18:01:00 -0700 Created attachment 54765 Patch v1 219315 2 inferno 2010-04-29 18:14:48 -0700 Yes, David it is a typo. Sorry about that. 219611 3 ddkilzer 2010-04-30 14:05:58 -0700 Committed r58604: <http://trac.webkit.org/changeset/58604> 54765 2010-04-29 18:01:00 -0700 2010-04-29 18:26:56 -0700 Patch v1 bug-38364-20100429180059.patch text/plain 1624 ddkilzer ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA4YzIyNTkyM2ZiZDc3ZWU0NzkzNjYyNGYxNjRjZTM5YmExN2VkYTFiLi5jNDQwNzFi NzY0NzRkYjZmMTI0YjliMDVlOWM3NmMyM2IzYWYwNmM1IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAK KzIwMTAtMDQtMjkgIERhdmlkIEtpbHplciAgPGRka2lsemVyQGFwcGxlLmNvbT4KKworICAgICAg ICA8aHR0cDovL3dlYmtpdC5vcmcvYi8zODM2ND4gTUlNRSB0eXBvIGluIExheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkveHNzLURFTklFRC1taW1lLXR5cGUtZXhlY3V0ZS1hcy1odG1sLmh0 bWwKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGh0 dHAvdGVzdHMvc2VjdXJpdHkveHNzLURFTklFRC1taW1lLXR5cGUtZXhlY3V0ZS1hcy1odG1sLmh0 bWw6CisgICAgICAgIEZpeGVkIE1JTUUgdHlwbyBmcm9tICJhcHBsaWNhdGlvbi1qYXZhc2NyaXB0 IiB0bworICAgICAgICAiYXBwbGljYXRpb24vamF2YXNjcmlwdCIuCisKIDIwMTAtMDQtMjkgIFlh YXIgU2Nobml0bWFuICA8eWFhckBjaHJvbWl1bS5vcmc+CiAKICAgICAgICAgTm90IFJldmlld2Vk LgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3MtREVOSUVE LW1pbWUtdHlwZS1leGVjdXRlLWFzLWh0bWwuaHRtbCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMv c2VjdXJpdHkveHNzLURFTklFRC1taW1lLXR5cGUtZXhlY3V0ZS1hcy1odG1sLmh0bWwKaW5kZXgg Mjc5NDZjNjZiN2UxYWQxZmE3ZjE2NjI1NWYwYmIxZmJkY2MxMGFmOC4uNTY5OWU0NGQ2MmQwZTZm OTY5NmM5MmM0YzU1N2I2YmRhYjJlNDNjYiAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvaHR0cC90 ZXN0cy9zZWN1cml0eS94c3MtREVOSUVELW1pbWUtdHlwZS1leGVjdXRlLWFzLWh0bWwuaHRtbAor KysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzcy1ERU5JRUQtbWltZS10eXBl LWV4ZWN1dGUtYXMtaHRtbC5odG1sCkBAIC05LDcgKzksNyBAQCBpZiAod2luZG93LmxheW91dFRl c3RDb250cm9sbGVyKSB7CiB9CiAKIHZhciBtaW1lX3R5cGVzID0gWyJhcHBsaWNhdGlvbi9hdG9t K3htbCIsICJhcHBsaWNhdGlvbi9qc29uIiwKLSAgICAgICAgICAgICAgICAgICJhcHBsaWNhdGlv bi1qYXZhc2NyaXB0IiwgImFwcGxpY2F0aW9uL3Jzcyt4bWwiLCAidGV4dC8iLAorICAgICAgICAg ICAgICAgICAgImFwcGxpY2F0aW9uL2phdmFzY3JpcHQiLCAiYXBwbGljYXRpb24vcnNzK3htbCIs ICJ0ZXh0LyIsCiAgICAgICAgICAgICAgICAgICAidGV4dC9jYWNoZS1tYW5pZmVzdCIsICJ0ZXh0 L2NzcyIsICJ0ZXh0L2VjbWFzY3JpcHQiLAogICAgICAgICAgICAgICAgICAgInRleHQvamF2YXNj cmlwdCIsICJ0ZXh0L2phdmFzY3JpcHQxLjEiLCAidGV4dC9qYXZhc2NyaXB0MS4yIiwKICAgICAg ICAgICAgICAgICAgICJ0ZXh0L2phdmFzY3JpcHQxLjMiLCAidGV4dC9qc2NyaXB0IiwgInRleHQv bGl2ZXNjcmlwdCIsICJ0ZXh0L3BsYWluIl07Cg==