69700 2011-10-08 05:56:25 -0700 [Qt] http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml fails 2011-10-09 03:15:12 -0700 1 1 1 Unclassified WebKit Tools / Tests 528+ (Nightly build) All All RESOLVED FIXED Qt, QtTriaged P1 Critical --- 1 ossy webkit-unassigned abarth ossy serg.glazunov vestbo webkit.review.bot oldest_to_newest 480541 0 ossy 2011-10-08 05:56:25 -0700 http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml introduced in http://trac.webkit.org/changeset/96984 (https://bugs.webkit.org/show_bug.cgi?id=69661), but fails on the Qt bot: --- /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt +++ /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-actual.txt @@ -1,3 +1,4 @@ -CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match. - -This test passes if it doesn't alert the contents of innocent-victim.html. +CONSOLE MESSAGE: line 2: <html xmlns='http://www.w3.org/1999/xhtml/'><body><p>Running an XSL-T 1.0 stylesheet with a 2.0 processor.</p></body></html> +CONSOLE MESSAGE: line 2: <html xmlns='http://www.w3.org/1999/xhtml/'><body><p>Running an XSL-T 1.0 stylesheet with a 2.0 processor.</p></body></html> +FAIL: Timed out waiting for notifyDone to be called +This test passes if it doesn't alert the contents of innocent-victim.html. bug69661 is security bug, so I can't comment it, but I cc-ed the author (Sergey), the reviewer (Adam) and a member of security group from Nokia (Tor Arne). Could you check if it is a security problem on Qt or not? 480543 1 ossy 2011-10-08 06:09:56 -0700 Skipped by http://trac.webkit.org/changeset/97008 until fix. 480570 2 abarth 2011-10-08 09:58:54 -0700 It's not a security problem. The test is just timing out for some reason. 480662 3 110291 serg.glazunov 2011-10-08 23:05:14 -0700 Created attachment 110291 Patch 480663 4 abarth 2011-10-08 23:18:20 -0700 Thanks Sergey. 480666 5 110291 webkit.review.bot 2011-10-09 00:22:35 -0700 Comment on attachment 110291 Patch Clearing flags on attachment: 110291 Committed r97021: <http://trac.webkit.org/changeset/97021> 480667 6 webkit.review.bot 2011-10-09 00:22:39 -0700 All reviewed patches have been landed. Closing bug. 480674 7 serg.glazunov 2011-10-09 01:21:40 -0700 Aw, it's failing again and the diff is nice: --- /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-expected.txt +++ /ramdisk/qt-linux-release/build/layout-test-results/http/tests/security/xss-DENIED-xsl-document-securityOrigin-actual.txt @@ -1,3 +1,3 @@ CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL about:blank. Domains, protocols and ports must match. -This test passes if it doesn't alert the contents of innocent-victim.html. +This test passes if it doesn't alert the contents of innocent-victim.html. 480690 8 ossy 2011-10-09 03:15:12 -0700 Thanks for the fix. It seems the difference caused by a Qt-DRT bug, new bug report: https://bugs.webkit.org/show_bug.cgi?id=69718 And I added a Qt specific expected file to make our buildbot happy: http://trac.webkit.org/changeset/97024 110291 2011-10-08 23:05:14 -0700 2011-10-09 00:22:35 -0700 Patch bug-69700-20111009120512.patch text/plain 2382 serg.glazunov SW5kZXg6IExheW91dFRlc3RzL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9D aGFuZ2VMb2cJKHJldmlzaW9uIDk3MDIwKQorKysgTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCSh3b3Jr aW5nIGNvcHkpCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTEtMTAtMDggIFNlcmdleSBHbGF6dW5vdiAg PHNlcmcuZ2xhenVub3ZAZ21haWwuY29tPgorCisgICAgICAgIFtRdF0gaHR0cC90ZXN0cy9zZWN1 cml0eS94c3MtREVOSUVELXhzbC1kb2N1bWVudC1zZWN1cml0eU9yaWdpbi54bWwgZmFpbHMKKyAg ICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTY5NzAwCisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBodHRwL3Rlc3Rz L3NlY3VyaXR5L3hzcy1ERU5JRUQteHNsLWRvY3VtZW50LXNlY3VyaXR5T3JpZ2luLnhtbDoKKyAg ICAgICAgKiBwbGF0Zm9ybS9xdC9Ta2lwcGVkOgorCiAyMDExLTEwLTA4ICBRaSBaaGFuZyAgPHFp LjIuemhhbmdAbm9raWEuY29tPgogCiAgICAgICAgIFtXSzJdIFVwZGF0ZSBTa2lwcGVkIGZpbGUg CkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzcy1ERU5JRUQteHNsLWRv Y3VtZW50LXNlY3VyaXR5T3JpZ2luLnhtbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3NlY3VyaXR5L3hzcy1ERU5JRUQteHNsLWRvY3VtZW50LXNlY3VyaXR5T3JpZ2luLnht bAkocmV2aXNpb24gOTcwMDgpCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hz cy1ERU5JRUQteHNsLWRvY3VtZW50LXNlY3VyaXR5T3JpZ2luLnhtbAkod29ya2luZyBjb3B5KQpA QCAtMSw1ICsxLDUgQEAKIDw/eG1sLXN0eWxlc2hlZXQgdHlwZT0idGV4dC94c2wiIGhyZWY9Inhz cy1ERU5JRUQteHNsLWRvY3VtZW50LXNlY3VyaXR5T3JpZ2luLnhtbCI/PgotPHhzbDpzdHlsZXNo ZWV0IHZlcnNpb249IjEuMCIgeG1sbnM6eHNsPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L1hTTC9U cmFuc2Zvcm0iPgorPHhzbDpzdHlsZXNoZWV0IHZlcnNpb249IjIuMCIgeG1sbnM6eHNsPSJodHRw Oi8vd3d3LnczLm9yZy8xOTk5L1hTTC9UcmFuc2Zvcm0iPgogPHhzbDp0ZW1wbGF0ZSBtYXRjaD0i LyI+CiA8aHRtbD4KIDxoZWFkPgpAQCAtMjMsNyArMjMsNyBAQCB3aW5kb3cub25sb2FkID0gZnVu Y3Rpb24oKQogCQl1cmwgPSBsb2NhdGlvbi5ocmVmOwogCQlibGFuayA9IGRvY3VtZW50LmJvZHku YXBwZW5kQ2hpbGQoZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiaWZyYW1lIikpOwogCQlibGFuay5j b250ZW50V2luZG93LmV2YWwoInBhcmVudC5kb2N1bWVudC5vcGVuKCkiKTsKLQkJbG9jYXRpb24g PSAiamF2YXNjcmlwdDooXCI8P3htbCB2ZXJzaW9uPScxLjAnPz48P3htbC1zdHlsZXNoZWV0IHR5 cGU9J3RleHQveHNsJyBocmVmPSciICsgdXJsICsgIic/Pjxyb290Lz5cIikiOworCQlsb2NhdGlv biA9ICJqYXZhc2NyaXB0OihcIlx4M0M/eG1sLXN0eWxlc2hlZXQgdHlwZT0ndGV4dC94c2wnIGhy ZWY9JyIgKyB1cmwgKyAiJz9ceDNFXHgzQ3Jvb3QvXHgzRVwiKSI7CiAJfSBlbHNlIHsKIAkJdmlj dGltID0gb3BlbmVyOwogCQlvcGVuKCJqYXZhc2NyaXB0OnZvaWQoMCkiLCAiX3NlbGYiKTsKSW5k ZXg6IExheW91dFRlc3RzL3BsYXRmb3JtL3F0L1NraXBwZWQKPT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0 VGVzdHMvcGxhdGZvcm0vcXQvU2tpcHBlZAkocmV2aXNpb24gOTcwMDgpCisrKyBMYXlvdXRUZXN0 cy9wbGF0Zm9ybS9xdC9Ta2lwcGVkCSh3b3JraW5nIGNvcHkpCkBAIC0yNDA5LDcgKzI0MDksMyBA QCBlZGl0aW5nL3Bhc3RlYm9hcmQvc21hcnQtcGFzdGUtMDA4Lmh0bWwKICMgbmV3IHRlc3QgaW50 cm9kdWNlZCBpbiBpbiByOTY4NTYsIGJ1dCBmYWlscyBvbiBRdAogIyBodHRwczovL2J1Z3Mud2Vi a2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Njk2MTUKIGh0dHAvdGVzdHMvbXVsdGlwYXJ0L2xvYWQt bGFzdC1ub24taHRtbC1mcmFtZS5waHAKLQotIyBbUXRdIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNz LURFTklFRC14c2wtZG9jdW1lbnQtc2VjdXJpdHlPcmlnaW4ueG1sIGZhaWxzCi0jIGh0dHBzOi8v YnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD02OTcwMAotaHR0cC90ZXN0cy9zZWN1cml0 eS94c3MtREVOSUVELXhzbC1kb2N1bWVudC1zZWN1cml0eU9yaWdpbi54bWwK