94547 2012-08-20 16:39:21 -0700 XSSAuditor too tolerant of injected data: URLs from other "hostless" schemes. 2012-08-20 19:11:22 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 tsepez webkit-unassigned abarth dbates webkit.review.bot oldest_to_newest 700161 0 tsepez 2012-08-20 16:39:21 -0700 Originally reported by sasha zivojinovic at crbug.com/142636 XSSAuditor's isSameOrignRequest() gets tripped up when the main page is loaded from say file:/// (which has no host portion) and the injected payload is from data: (which has no host portion). No risk of cookie theft from data: URLs, but can do nuisance things like navigate the top page. Unclear whether there are really any protocols that need this protection. 700173 1 159561 tsepez 2012-08-20 16:48:11 -0700 Created attachment 159561 Patch + test case. 700179 2 tsepez 2012-08-20 16:51:00 -0700 Changed the name of the function so that it doesn't say "same origin" whilst completely ignoring scheme and port. 700180 3 159561 abarth 2012-08-20 16:51:31 -0700 Comment on attachment 159561 Patch + test case. Ok. We added this to weed out some false positives, but they were all for URLs that had hosts, so this is probably fine. 700341 4 159561 webkit.review.bot 2012-08-20 19:11:18 -0700 Comment on attachment 159561 Patch + test case. Clearing flags on attachment: 159561 Committed r126120: <http://trac.webkit.org/changeset/126120> 700342 5 webkit.review.bot 2012-08-20 19:11:22 -0700 All reviewed patches have been landed. Closing bug. 159561 2012-08-20 16:48:11 -0700 2012-08-20 19:11:18 -0700 Patch + test case. patch_94547.txt text/plain 6170 tsepez SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDEyNjA5MSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBACisyMDEyLTA4LTIwICBUb20gU2Vw ZXogIDx0c2VwZXpAY2hyb21pdW0ub3JnPgorCisgICAgICAgIFhTU0F1ZGl0b3IgdG9vIHRvbGVy YW50IG9mIGluamVjdGVkIGRhdGE6IFVSTHMgZnJvbSBvdGhlciAiaG9zdGxlc3MiIHNjaGVtZXMu CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD05NDU0Nwor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIENoZWNrIHRo YXQgdGhlcmUgaXMgYSBob3N0IGJlZm9yZSBtYWtpbmcgc2FtZS1ob3N0IHRlc3RzLgorCisgICAg ICAgIFRlc3Q6IGZhc3QvZnJhbWVzL3hzcy1hdWRpdG9yLWhhbmRsZXMtZmlsZS11cmxzLmh0bWwK KworICAgICAgICAqIGh0bWwvcGFyc2VyL1hTU0F1ZGl0b3IuY3BwOgorICAgICAgICAoV2ViQ29y ZTo6WFNTQXVkaXRvcjo6ZXJhc2VBdHRyaWJ1dGVJZkluamVjdGVkKToKKyAgICAgICAgKFdlYkNv cmU6OlhTU0F1ZGl0b3I6OmlzTGlrZWx5U2FmZVJlc291cmNlKToKKyAgICAgICAgKiBodG1sL3Bh cnNlci9YU1NBdWRpdG9yLmg6CisKIDIwMTItMDgtMjAgIFNpbW9uIEZyYXNlciAgPHNpbW9uLmZy YXNlckBhcHBsZS5jb20+CiAKICAgICAgICAgQXNzZXJ0aW9uIGdvaW5nIGJhY2sgdG8gcmVzdWx0 cy5odG1sIHBhZ2UgZnJvbSBhbiBpbWFnZSBkaWZmIHJlc3VsdApJbmRleDogU291cmNlL1dlYkNv cmUvaHRtbC9wYXJzZXIvWFNTQXVkaXRvci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNv cmUvaHRtbC9wYXJzZXIvWFNTQXVkaXRvci5jcHAJKHJldmlzaW9uIDEyNjA4MykKKysrIFNvdXJj ZS9XZWJDb3JlL2h0bWwvcGFyc2VyL1hTU0F1ZGl0b3IuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC00 NTgsNyArNDU4LDcgQEAgYm9vbCBYU1NBdWRpdG9yOjplcmFzZUF0dHJpYnV0ZUlmSW5qZWN0ZQog ICAgIGlmIChmaW5kQXR0cmlidXRlV2l0aE5hbWUodG9rZW4sIGF0dHJpYnV0ZU5hbWUsIGluZGV4 T2ZBdHRyaWJ1dGUpKSB7CiAgICAgICAgIGNvbnN0IEhUTUxUb2tlbjo6QXR0cmlidXRlJiBhdHRy aWJ1dGUgPSB0b2tlbi5hdHRyaWJ1dGVzKCkuYXQoaW5kZXhPZkF0dHJpYnV0ZSk7CiAgICAgICAg IGlmIChpc0NvbnRhaW5lZEluUmVxdWVzdChkZWNvZGVkU25pcHBldEZvckF0dHJpYnV0ZSh0b2tl biwgYXR0cmlidXRlLCB0cmVhdG1lbnQpKSkgewotICAgICAgICAgICAgaWYgKGF0dHJpYnV0ZU5h bWUgPT0gc3JjQXR0ciAmJiBpc1NhbWVPcmlnaW5SZXNvdXJjZShTdHJpbmcoYXR0cmlidXRlLm1f dmFsdWUuZGF0YSgpLCBhdHRyaWJ1dGUubV92YWx1ZS5zaXplKCkpKSkKKyAgICAgICAgICAgIGlm IChhdHRyaWJ1dGVOYW1lID09IHNyY0F0dHIgJiYgaXNMaWtlbHlTYWZlUmVzb3VyY2UoU3RyaW5n KGF0dHJpYnV0ZS5tX3ZhbHVlLmRhdGEoKSwgYXR0cmlidXRlLm1fdmFsdWUuc2l6ZSgpKSkpCiAg ICAgICAgICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICAgICAgaWYgKGF0dHJpYnV0ZU5h bWUgPT0gaHR0cF9lcXVpdkF0dHIgJiYgIWlzRGFuZ2Vyb3VzSFRUUEVxdWl2KFN0cmluZyhhdHRy aWJ1dGUubV92YWx1ZS5kYXRhKCksIGF0dHJpYnV0ZS5tX3ZhbHVlLnNpemUoKSkpKQogICAgICAg ICAgICAgICAgIHJldHVybiBmYWxzZTsKQEAgLTYwMywxNiArNjAzLDIwIEBAIGJvb2wgWFNTQXVk aXRvcjo6aXNDb250YWluZWRJblJlcXVlc3QoY28KICAgICByZXR1cm4gbV9kZWNvZGVkSFRUUEJv ZHkuZmluZChkZWNvZGVkU25pcHBldCwgMCwgZmFsc2UpICE9IG5vdEZvdW5kOwogfQogCi1ib29s IFhTU0F1ZGl0b3I6OmlzU2FtZU9yaWdpblJlc291cmNlKGNvbnN0IFN0cmluZyYgdXJsKQorYm9v bCBYU1NBdWRpdG9yOjppc0xpa2VseVNhZmVSZXNvdXJjZShjb25zdCBTdHJpbmcmIHVybCkKIHsK LSAgICAvLyBJZiB0aGUgcmVzb3VyY2UgaXMgbG9hZGVkIGZyb20gdGhlIHNhbWUgVVJMIGFzIHRo ZSBlbmNsb3NpbmcgcGFnZSwgaXQncworICAgIC8vIElmIHRoZSByZXNvdXJjZSBpcyBsb2FkZWQg ZnJvbSB0aGUgc2FtZSBob3N0IGFzIHRoZSBlbmNsb3NpbmcgcGFnZSwgaXQncwogICAgIC8vIHBy b2JhYmx5IG5vdCBhbiBYU1MgYXR0YWNrLCBzbyB3ZSByZWR1Y2UgZmFsc2UgcG9zaXRpdmVzIGJ5 IGFsbG93aW5nIHRoZQotICAgIC8vIHJlcXVlc3QuIElmIHRoZSByZXNvdXJjZSBoYXMgYSBxdWVy eSBzdHJpbmcsIHdlJ3JlIG1vcmUgc3VzcGljaW91cywKLSAgICAvLyBob3dldmVyLCBiZWNhdXNl IHRoYXQncyBwcmV0dHkgcmFyZSBhbmQgdGhlIGF0dGFja2VyIG1pZ2h0IGJlIGFibGUgdG8KLSAg ICAvLyB0cmljayBhIHNlcnZlci1zaWRlIHNjcmlwdCBpbnRvIGRvaW5nIHNvbWV0aGluZyBkYW5n ZXJvdXMgd2l0aCB0aGUgcXVlcnkKLSAgICAvLyBzdHJpbmcuCi0gICAgS1VSTCByZXNvdXJjZVVS TChtX3BhcnNlci0+ZG9jdW1lbnQoKS0+dXJsKCksIHVybCk7Ci0gICAgcmV0dXJuIChtX3BhcnNl ci0+ZG9jdW1lbnQoKS0+dXJsKCkuaG9zdCgpID09IHJlc291cmNlVVJMLmhvc3QoKSAmJiByZXNv dXJjZVVSTC5xdWVyeSgpLmlzRW1wdHkoKSk7CisgICAgLy8gcmVxdWVzdCwgaWdub3Jpbmcgc2No ZW1lIGFuZCBwb3J0IGNvbnNpZGVyYXRpb25zLiBJZiB0aGUgcmVzb3VyY2UgaGFzIGEKKyAgICAv LyBxdWVyeSBzdHJpbmcsIHdlJ3JlIG1vcmUgc3VzcGljaW91cywgaG93ZXZlciwgYmVjYXVzZSB0 aGF0J3MgcHJldHR5IHJhcmUKKyAgICAvLyBhbmQgdGhlIGF0dGFja2VyIG1pZ2h0IGJlIGFibGUg dG8gdHJpY2sgYSBzZXJ2ZXItc2lkZSBzY3JpcHQgaW50byBkb2luZworICAgIC8vIHNvbWV0aGlu ZyBkYW5nZXJvdXMgd2l0aCB0aGUgcXVlcnkgc3RyaW5nLiAgCisgICAgY29uc3QgS1VSTCYgZG9j dW1lbnRVUkwgPSBtX3BhcnNlci0+ZG9jdW1lbnQoKS0+dXJsKCk7CisgICAgaWYgKGRvY3VtZW50 VVJMLmhvc3QoKS5pc0VtcHR5KCkpCisgICAgICAgIHJldHVybiBmYWxzZTsKKworICAgIEtVUkwg cmVzb3VyY2VVUkwoZG9jdW1lbnRVUkwsIHVybCk7CisgICAgcmV0dXJuIChkb2N1bWVudFVSTC5o b3N0KCkgPT0gcmVzb3VyY2VVUkwuaG9zdCgpICYmIHJlc291cmNlVVJMLnF1ZXJ5KCkuaXNFbXB0 eSgpKTsKIH0KIAogfSAvLyBuYW1lc3BhY2UgV2ViQ29yZQpJbmRleDogU291cmNlL1dlYkNvcmUv aHRtbC9wYXJzZXIvWFNTQXVkaXRvci5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3JlL2h0 bWwvcGFyc2VyL1hTU0F1ZGl0b3IuaAkocmV2aXNpb24gMTI2MDgzKQorKysgU291cmNlL1dlYkNv cmUvaHRtbC9wYXJzZXIvWFNTQXVkaXRvci5oCSh3b3JraW5nIGNvcHkpCkBAIC03OSw3ICs3OSw3 IEBAIHByaXZhdGU6CiAgICAgU3RyaW5nIGRlY29kZWRTbmlwcGV0Rm9ySmF2YVNjcmlwdChjb25z dCBIVE1MVG9rZW4mKTsKIAogICAgIGJvb2wgaXNDb250YWluZWRJblJlcXVlc3QoY29uc3QgU3Ry aW5nJik7Ci0gICAgYm9vbCBpc1NhbWVPcmlnaW5SZXNvdXJjZShjb25zdCBTdHJpbmcmIHVybCk7 CisgICAgYm9vbCBpc0xpa2VseVNhZmVSZXNvdXJjZShjb25zdCBTdHJpbmcmIHVybCk7CiAKICAg ICBIVE1MRG9jdW1lbnRQYXJzZXIqIG1fcGFyc2VyOwogICAgIGJvb2wgbV9pc0VuYWJsZWQ7Cklu ZGV4OiBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvQ2hh bmdlTG9nCShyZXZpc2lvbiAxMjYwOTEpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtp bmcgY29weSkKQEAgLTEsMyArMSwxNCBAQAorMjAxMi0wOC0yMCAgVG9tIFNlcGV6ICA8dHNlcGV6 QGNocm9taXVtLm9yZz4KKworICAgICAgICBYU1NBdWRpdG9yIHRvbyB0b2xlcmFudCBvZiBpbmpl Y3RlZCBkYXRhOiBVUkxzIGZyb20gb3RoZXIgImhvc3RsZXNzIiBzY2hlbWVzLgorICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9OTQ1NDcKKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGZhc3QvZnJhbWVzL3Jlc291 cmNlcy9zdGF0aWMteHNzLXZlY3Rvci5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBmYXN0L2ZyYW1l cy94c3MtYXVkaXRvci1oYW5kbGVzLWZpbGUtdXJscy1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAg ICAgICAqIGZhc3QvZnJhbWVzL3hzcy1hdWRpdG9yLWhhbmRsZXMtZmlsZS11cmxzLmh0bWw6IEFk ZGVkLgorCiAyMDEyLTA4LTIwICBEb21pbmlrIFLDtnR0c2NoZXMgIDxkb21pbmlrLnJvdHRzY2hl c0BpbnRlbC5jb20+CiAKICAgICAgICAgMmQuaW1hZ2VEYXRhLm9iamVjdC53cmFwLmh0bWwgaGFz IHdyb25nIGV4cGVjdGF0aW9ucwpJbmRleDogTGF5b3V0VGVzdHMvZmFzdC9mcmFtZXMveHNzLWF1 ZGl0b3ItaGFuZGxlcy1maWxlLXVybHMtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91 dFRlc3RzL2Zhc3QvZnJhbWVzL3hzcy1hdWRpdG9yLWhhbmRsZXMtZmlsZS11cmxzLWV4cGVjdGVk LnR4dAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2Zhc3QvZnJhbWVzL3hzcy1hdWRpdG9y LWhhbmRsZXMtZmlsZS11cmxzLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKQEAgLTAsMCArMSwz IEBACitDT05TT0xFIE1FU1NBR0U6IFJlZnVzZWQgdG8gZXhlY3V0ZSBhIEphdmFTY3JpcHQgc2Ny aXB0LiBTb3VyY2UgY29kZSBvZiBzY3JpcHQgZm91bmQgd2l0aGluIHJlcXVlc3QuCisKKwpJbmRl eDogTGF5b3V0VGVzdHMvZmFzdC9mcmFtZXMveHNzLWF1ZGl0b3ItaGFuZGxlcy1maWxlLXVybHMu aHRtbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9mYXN0L2ZyYW1lcy94c3MtYXVkaXRvci1o YW5kbGVzLWZpbGUtdXJscy5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9m cmFtZXMveHNzLWF1ZGl0b3ItaGFuZGxlcy1maWxlLXVybHMuaHRtbAkocmV2aXNpb24gMCkKQEAg LTAsMCArMSwxNSBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHNjcmlwdD4K K2lmICh3aW5kb3cudGVzdFJ1bm5lcikgeworICB0ZXN0UnVubmVyLmR1bXBBc1RleHQoKTsKKyAg dGVzdFJ1bm5lci5zZXRYU1NBdWRpdG9yRW5hYmxlZCh0cnVlKTsKK30KKzwvc2NyaXB0PgorPC9o ZWFkPgorPGJvZHk+Cis8aWZyYW1lIHNyYz0icmVzb3VyY2VzL3N0YXRpYy14c3MtdmVjdG9yLmh0 bWw/cT1YU1M8aWZyYW1lIHNyYz0nZGF0YTp0ZXh0L2h0bWw7YmFzZTY0LFBITmpjbWx3ZEQ1aGJH VnlkQ2d4S1R3dmMyTnlhWEIwUGc9PSc+Ij4KKzwvaWZyYW1lPgorPC9ib2R5PgorPC9odG1sPgpJ bmRleDogTGF5b3V0VGVzdHMvZmFzdC9mcmFtZXMvcmVzb3VyY2VzL3N0YXRpYy14c3MtdmVjdG9y Lmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9mcmFtZXMvcmVzb3VyY2VzL3N0 YXRpYy14c3MtdmVjdG9yLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2Zy YW1lcy9yZXNvdXJjZXMvc3RhdGljLXhzcy12ZWN0b3IuaHRtbAkocmV2aXNpb24gMCkKQEAgLTAs MCArMSw1IEBACis8aHRtbD4KKzxib2R5PgorPGlmcmFtZSBzcmM9J2RhdGE6dGV4dC9odG1sO2Jh c2U2NCxQSE5qY21sd2RENWhiR1Z5ZENneEtUd3ZjMk55YVhCMFBnPT0nPjwvaWZyYW1lPgorPC9i b2R5PgorPC9odG1sPgo=