40404 2010-06-09 23:48:52 -0700 Use allowRequestIfNoIllegalURICharacters instead of context for XSSAuditor::canLoadExternalScriptFromSrc 2010-06-10 10:40:12 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Other OS X 10.5 RESOLVED FIXED P2 Normal --- 39259 1 abarth abarth dbates eric Ms2ger oldest_to_newest 236182 0 abarth 2010-06-09 23:48:52 -0700 Use allowRequestIfNoIllegalURICharacters instead of context for XSSAuditor::canLoadExternalScriptFromSrc 236187 1 58336 abarth 2010-06-09 23:55:41 -0700 Created attachment 58336 Patch 236188 2 58336 eric 2010-06-09 23:58:20 -0700 Comment on attachment 58336 Patch OK. dbates should at least see this go by. 236255 3 Ms2ger 2010-06-10 02:28:39 -0700 > // FIXME: We have no easy way to provide the XSSAuditor with the original > // un-processed attribute source, so for now we pass nullAtom. >- return m_XSSAuditor->canLoadExternalScriptFromSrc(nullAtom, srcValue); >+ return m_XSSAuditor->canLoadExternalScriptFromSrc(srcValue); Update the comment? 236413 4 abarth 2010-06-10 10:21:52 -0700 Good catch. One sec. 236428 5 abarth 2010-06-10 10:40:12 -0700 Committed r60964: <http://trac.webkit.org/changeset/60964> 58336 2010-06-09 23:55:41 -0700 2010-06-09 23:58:19 -0700 Patch bug-40404-20100609235539.patch text/plain 5920 abarth SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA2MDk0MCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsNDEgQEAKKzIwMTAtMDYtMDkgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9y Zz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBVc2Ug YWxsb3dSZXF1ZXN0SWZOb0lsbGVnYWxVUklDaGFyYWN0ZXJzIGluc3RlYWQgb2YgY29udGV4dCBm b3IgWFNTQXVkaXRvcjo6Y2FuTG9hZEV4dGVybmFsU2NyaXB0RnJvbVNyYworICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NDA0MDQKKworICAgICAgICBXZSBv cmlnaW5hbGx5IGFkZGVkIHRoZSBjb250ZXh0IHBhcmFtZXRlciB0bworICAgICAgICBjYW5Mb2Fk RXh0ZXJuYWxTY3JpcHRGcm9tU3JjIHRvIHdvcmsgYXJvdW5kIHNvbWUgZmFsc2UgcG9zaXRpdmVz IGNhdXNlZAorICAgICAgICBieSBmb2xrcyBjaGVja2luZyBleHRlcm5hbCBzY3JpcHQgVVJMcyBv biB0aGUgc2VydmVyLiAgT3VyIHRob3VnaHQgd2FzCisgICAgICAgIHRoYXQgd2UgY291bGQgdGVs bCB0aGVzZSB3ZXJlIG5vdCByZWFsIFhTUyBhdHRhY2tzIGJlY2F1c2UgdGhlCisgICAgICAgIHN1 cnJvdW5kaW5nIGNvbnRleHQgd291bGRuJ3QgbWF0Y2ggaW4gdGhlIFVSTCBhbmQgdGhlIGRvY3Vt ZW50LgorCisgICAgICAgIEltcGxlbWVudGluZyB0aGlzIGZlYXR1cmUgaW4gdGhlIEhUTUw1IHBh cnNlciBpcyBoYXJkIGJlY2F1c2UgaXQKKyAgICAgICAgcGllcmNlcyBhIGxheWVyIG9mIGFic3Ry YWN0aW9uICh0aGUgdG9rZW4gYWJzdHJhY3Rpb24gb2YgdGhlIGlucHV0CisgICAgICAgIHN0cmVh bSkuICBXZSBjb3VsZCBoYWNrIHRoaXMgaW50byB0aGUgbmV3IHBhcnNlciwgYnV0IGluc3RlYWQg SSB0aGluaworICAgICAgICBpdCdzIGJldHRlciB0byBzd2l0Y2ggdG8gdXNpbmcgdGhlIGFsbG93 UmVxdWVzdElmTm9JbGxlZ2FsVVJJQ2hhcmFjdGVycworICAgICAgICBoZXVyaXN0aWMuCisKKyAg ICAgICAgV2UgZGVzaWduZWQgdGhlIGFsbG93UmVxdWVzdElmTm9JbGxlZ2FsVVJJQ2hhcmFjdGVy cyBhZnRlciB0aGUgY29udGV4dAorICAgICAgICBoZXVyaXN0aWMgdG8gZGVhbCB3aXRoIG90aGVy IGNhc2VzIHdoZXJlIHRoZSBzZXJ2ZXIgd2FzIHZhbGlkYXRpbmcKKyAgICAgICAgaW5wdXQgYmVm b3JlIGVjaG9pbmcgaXQuICBIb3dldmVyLCB3ZSBuZXZlciB0cmllZCBhcHBseWluZyBpdCB0bwor ICAgICAgICBjYW5Mb2FkRXh0ZXJuYWxTY3JpcHRGcm9tU3JjLgorCisgICAgICAgIEl0J3MgcG9z c2libGUgdGhhdCB0aGlzIHdpbGwgY2F1c2UgZmFsc2UgcG9zaXRpdmVzIGFuZCB3aWxsIG5lZWQg dG8gYmUKKyAgICAgICAgcmV2ZXJ0ZWQsIHdoaWNoIGlzIHdoeSBJJ3ZlIGxlZnQgaW4gc29tZSBv ZiB0aGUgaW5mcnVzdHJ1Y3R1cmUgZm9yCisgICAgICAgIGNvbXB1dGluZyBjb250ZXh0LiAgV2Ug ZG9uJ3QgaGF2ZSBhIGdvb2Qgd2F5IHRvIGtub3cgaWYgdGhhdCB3aWxsCisgICAgICAgIGhhcHBl biBleGNlcHQgdG8gdHJ5LiAgV2UgZG8ga25vdywgaG93ZXZlciwgdGhhdCB0aGlzIGhldXJpc3Rp YyB3aWxsCisgICAgICAgIHdvcmsgZm9yIHRoZSBvcmlnaW5hbCBmYWxzZSBwb3NpdGl2ZXMgd2Ug c2F3LgorCisgICAgICAgICogaHRtbC9IVE1MNVRva2VuaXplci5jcHA6CisgICAgICAgIChXZWJD b3JlOjpIVE1MNVRva2VuaXplcjo6c2hvdWxkTG9hZEV4dGVybmFsU2NyaXB0RnJvbVNyYyk6Cisg ICAgICAgICogaHRtbC9IVE1MVG9rZW5pemVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkhUTUxU b2tlbml6ZXI6OnBhcnNlVGFnKToKKyAgICAgICAgKiBwYWdlL1hTU0F1ZGl0b3IuY3BwOgorICAg ICAgICAoV2ViQ29yZTo6WFNTQXVkaXRvcjo6Y2FuTG9hZEV4dGVybmFsU2NyaXB0RnJvbVNyYyk6 CisgICAgICAgICogcGFnZS9YU1NBdWRpdG9yLmg6CisKIDIwMTAtMDYtMDkgIFRvbnkgR2VudGls Y29yZSAgPHRvbnlnQGNocm9taXVtLm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBZGFtIEJh cnRoLgpJbmRleDogV2ViQ29yZS9odG1sL0hUTUw1VG9rZW5pemVyLmNwcAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBXZWJDb3JlL2h0bWwvSFRNTDVUb2tlbml6ZXIuY3BwCShyZXZpc2lvbiA2MDk0MCkKKysrIFdl YkNvcmUvaHRtbC9IVE1MNVRva2VuaXplci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTIyNyw3ICsy MjcsNyBAQCBib29sIEhUTUw1VG9rZW5pemVyOjpzaG91bGRMb2FkRXh0ZXJuYWxTCiAgICAgICAg IHJldHVybiB0cnVlOwogICAgIC8vIEZJWE1FOiBXZSBoYXZlIG5vIGVhc3kgd2F5IHRvIHByb3Zp ZGUgdGhlIFhTU0F1ZGl0b3Igd2l0aCB0aGUgb3JpZ2luYWwKICAgICAvLyB1bi1wcm9jZXNzZWQg YXR0cmlidXRlIHNvdXJjZSwgc28gZm9yIG5vdyB3ZSBwYXNzIG51bGxBdG9tLgotICAgIHJldHVy biBtX1hTU0F1ZGl0b3ItPmNhbkxvYWRFeHRlcm5hbFNjcmlwdEZyb21TcmMobnVsbEF0b20sIHNy Y1ZhbHVlKTsKKyAgICByZXR1cm4gbV9YU1NBdWRpdG9yLT5jYW5Mb2FkRXh0ZXJuYWxTY3JpcHRG cm9tU3JjKHNyY1ZhbHVlKTsKIH0KIAogdm9pZCBIVE1MNVRva2VuaXplcjo6ZXhlY3V0ZVNjcmlw dChjb25zdCBTY3JpcHRTb3VyY2VDb2RlJiBzb3VyY2VDb2RlKQpJbmRleDogV2ViQ29yZS9odG1s L0hUTUxUb2tlbml6ZXIuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvaHRtbC9IVE1MVG9rZW5p emVyLmNwcAkocmV2aXNpb24gNjA5MzgpCisrKyBXZWJDb3JlL2h0bWwvSFRNTFRva2VuaXplci5j cHAJKHdvcmtpbmcgY29weSkKQEAgLTEzOTUsNyArMTM5NSw3IEBAIEhUTUxUb2tlbml6ZXI6OlN0 YXRlIEhUTUxUb2tlbml6ZXI6OnBhcnMKIAogICAgICAgICAgICAgICAgICAgICAgICAgaWYgKG1f Y3VycmVudFRva2VuLmJlZ2luVGFnICYmIG1fY3VycmVudFRva2VuLnRhZ05hbWUgPT0gc2NyaXB0 VGFnICYmICFpblZpZXdTb3VyY2VNb2RlKCkgJiYgIW1fcGFyc2VyLT5za2lwTW9kZSgpICYmIG1f YXR0ck5hbWUgPT0gc3JjQXR0cikgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0cmlu ZyBjb250ZXh0KG1fcmF3QXR0cmlidXRlQmVmb3JlVmFsdWUuZGF0YSgpLCBtX3Jhd0F0dHJpYnV0 ZUJlZm9yZVZhbHVlLnNpemUoKSk7Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKG1f WFNTQXVkaXRvciAmJiAhbV9YU1NBdWRpdG9yLT5jYW5Mb2FkRXh0ZXJuYWxTY3JpcHRGcm9tU3Jj KGNvbnRleHQsIGF0dHJpYnV0ZVZhbHVlKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICBp ZiAobV9YU1NBdWRpdG9yICYmICFtX1hTU0F1ZGl0b3ItPmNhbkxvYWRFeHRlcm5hbFNjcmlwdEZy b21TcmMoYXR0cmlidXRlVmFsdWUpKQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBh dHRyaWJ1dGVWYWx1ZSA9IGJsYW5rVVJMKCkuc3RyaW5nKCk7CiAgICAgICAgICAgICAgICAgICAg ICAgICB9CiAKQEAgLTE0MzIsNyArMTQzMiw3IEBAIEhUTUxUb2tlbml6ZXI6OlN0YXRlIEhUTUxU b2tlbml6ZXI6OnBhcnMKIAogICAgICAgICAgICAgICAgICAgICAgICAgaWYgKG1fY3VycmVudFRv a2VuLmJlZ2luVGFnICYmIG1fY3VycmVudFRva2VuLnRhZ05hbWUgPT0gc2NyaXB0VGFnICYmICFp blZpZXdTb3VyY2VNb2RlKCkgJiYgIW1fcGFyc2VyLT5za2lwTW9kZSgpICYmIG1fYXR0ck5hbWUg PT0gc3JjQXR0cikgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0cmluZyBjb250ZXh0 KG1fcmF3QXR0cmlidXRlQmVmb3JlVmFsdWUuZGF0YSgpLCBtX3Jhd0F0dHJpYnV0ZUJlZm9yZVZh bHVlLnNpemUoKSk7Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKG1fWFNTQXVkaXRv ciAmJiAhbV9YU1NBdWRpdG9yLT5jYW5Mb2FkRXh0ZXJuYWxTY3JpcHRGcm9tU3JjKGNvbnRleHQs IGF0dHJpYnV0ZVZhbHVlKSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAobV9YU1NB dWRpdG9yICYmICFtX1hTU0F1ZGl0b3ItPmNhbkxvYWRFeHRlcm5hbFNjcmlwdEZyb21TcmMoYXR0 cmlidXRlVmFsdWUpKQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdHRyaWJ1dGVW YWx1ZSA9IGJsYW5rVVJMKCkuc3RyaW5nKCk7CiAgICAgICAgICAgICAgICAgICAgICAgICB9CiAK SW5kZXg6IFdlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmNwcAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3Jl L3BhZ2UvWFNTQXVkaXRvci5jcHAJKHJldmlzaW9uIDYwOTM4KQorKysgV2ViQ29yZS9wYWdlL1hT U0F1ZGl0b3IuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xNzAsNyArMTcwLDcgQEAgYm9vbCBYU1NB dWRpdG9yOjpjYW5DcmVhdGVJbmxpbmVFdmVudExpcwogICAgIHJldHVybiB0cnVlOwogfQogCi1i b29sIFhTU0F1ZGl0b3I6OmNhbkxvYWRFeHRlcm5hbFNjcmlwdEZyb21TcmMoY29uc3QgU3RyaW5n JiBjb250ZXh0LCBjb25zdCBTdHJpbmcmIHVybCkgY29uc3QKK2Jvb2wgWFNTQXVkaXRvcjo6Y2Fu TG9hZEV4dGVybmFsU2NyaXB0RnJvbVNyYyhjb25zdCBTdHJpbmcmIHVybCkgY29uc3QKIHsKICAg ICBpZiAoIWlzRW5hYmxlZCgpKQogICAgICAgICByZXR1cm4gdHJ1ZTsKQEAgLTE3OSw4ICsxNzks OCBAQCBib29sIFhTU0F1ZGl0b3I6OmNhbkxvYWRFeHRlcm5hbFNjcmlwdEZyCiAgICAgICAgIHJl dHVybiB0cnVlOwogCiAgICAgRmluZFRhc2sgdGFzazsKLSAgICB0YXNrLmNvbnRleHQgPSBjb250 ZXh0OwogICAgIHRhc2suc3RyaW5nID0gdXJsOworICAgIHRhc2suYWxsb3dSZXF1ZXN0SWZOb0ls bGVnYWxVUklDaGFyYWN0ZXJzID0gdHJ1ZTsKIAogICAgIGlmIChmaW5kSW5SZXF1ZXN0KHRhc2sp KSB7CiAgICAgICAgIERFRklORV9TVEFUSUNfTE9DQUwoU3RyaW5nLCBjb25zb2xlTWVzc2FnZSwg KCJSZWZ1c2VkIHRvIGV4ZWN1dGUgYSBKYXZhU2NyaXB0IHNjcmlwdC4gU291cmNlIGNvZGUgb2Yg c2NyaXB0IGZvdW5kIHdpdGhpbiByZXF1ZXN0LlxuIikpOwpJbmRleDogV2ViQ29yZS9wYWdlL1hT U0F1ZGl0b3IuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL3BhZ2UvWFNTQXVkaXRvci5oCShyZXZp c2lvbiA2MDkzOCkKKysrIFdlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmgJKHdvcmtpbmcgY29weSkK QEAgLTkwLDcgKzkwLDcgQEAgbmFtZXNwYWNlIFdlYkNvcmUgewogCiAgICAgICAgIC8vIERldGVy bWluZXMgd2hldGhlciB0aGUgZXh0ZXJuYWwgc2NyaXB0IHNob3VsZCBiZSBsb2FkZWQgYmFzZWQg b24gdGhlCiAgICAgICAgIC8vIGNvbnRlbnQgb2YgYW55IHVzZXItc3VibWl0dGVkIGRhdGEuCi0g ICAgICAgIGJvb2wgY2FuTG9hZEV4dGVybmFsU2NyaXB0RnJvbVNyYyhjb25zdCBTdHJpbmcmIGNv bnRleHQsIGNvbnN0IFN0cmluZyYgdXJsKSBjb25zdDsKKyAgICAgICAgYm9vbCBjYW5Mb2FkRXh0 ZXJuYWxTY3JpcHRGcm9tU3JjKGNvbnN0IFN0cmluZyYgdXJsKSBjb25zdDsKIAogICAgICAgICAv LyBEZXRlcm1pbmVzIHdoZXRoZXIgb2JqZWN0IHNob3VsZCBiZSBsb2FkZWQgYmFzZWQgb24gdGhl IGNvbnRlbnQgb2YKICAgICAgICAgLy8gYW55IHVzZXItc3VibWl0dGVkIGRhdGEuCg==