Bug 111944

Summary: XSSAuditor doesn't need a copy of the original document URL.
Product: WebKit Reporter: Mike West <mkwst>
Component: New BugsAssignee: Mike West <mkwst>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dbates, esprehn+autocc, ojan.autocc, tsepez, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 110733    
Attachments:
Description Flags
Patch none

Description Mike West 2013-03-10 11:47:18 PDT
XSSAuditor doesn't need a copy of the original document URL.
Comment 1 Mike West 2013-03-10 11:57:30 PDT
Created attachment 192382 [details]
Patch
Comment 2 Mike West 2013-03-10 11:59:34 PDT
As Adam noted in https://bugs.webkit.org/show_bug.cgi?id=110733#c36, there doesn't seem to be any good reason to retain a copy of this string.
Comment 3 Adam Barth 2013-03-10 12:45:18 PDT
Comment on attachment 192382 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=192382&action=review

> Source/WebCore/html/parser/XSSAuditorDelegate.cpp:76
>          reportDetails->setString("request-body", xssInfo.m_originalHTTPBody);

Is the same true of the request body?
Comment 4 Mike West 2013-03-10 12:51:53 PDT
(In reply to comment #3)
> (From update of attachment 192382 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=192382&action=review
> 
> > Source/WebCore/html/parser/XSSAuditorDelegate.cpp:76
> >          reportDetails->setString("request-body", xssInfo.m_originalHTTPBody);
> 
> Is the same true of the request body?

Looks like it might be; I don't think there's any circumstance in which the document's loader would change, or the loader's originalRequest. I'll put together another patch and see what happens if I just remove that property as well.
Comment 5 WebKit Review Bot 2013-03-10 12:59:18 PDT
Comment on attachment 192382 [details]
Patch

Clearing flags on attachment: 192382

Committed r145331: <http://trac.webkit.org/changeset/145331>
Comment 6 WebKit Review Bot 2013-03-10 12:59:21 PDT
All reviewed patches have been landed.  Closing bug.