Bug 189551
| Summary: | XSS auditor breaks srcdoc example in live-dom-viewer | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Simon Fraser (smfr) <simon.fraser> |
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ap, bfulgham, cdumez, dbates, sam, simon.fraser |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Simon Fraser (smfr)
http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cstyle%3E%0Abody%20%7B%20background%3A%20aqua%20%7D%0A%3C%2Fstyle%3E%0A%3Ciframe%20srcdoc%3D%22%3Cdiv%20style%3Dbackground%3Ablue%3Bheight%3A30px%3E%3C%2Fdiv%3E%22%3E
There should be a blue div inside the iframe, but we don't seem to parse the srcdoc correctly.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Sam Weinig
I'm pretty sure this isn't a parsing issue and is more likely the XSS Auditor kicking in. The same example renders fine in the Tryit Editor -> https://www.w3schools.com/code/tryit.asp?filename=FV8MYTW7FYTI.
Simon Fraser (smfr)
Ah yes, inspector says:
The XSS Auditor refused to execute a script in 'http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cstyle%3E%0Abody%20%7B%20background%3A%20aqua%20%7D%0A%3C%2Fstyle%3E%0A%3Ciframe%20srcdoc%3D%22%3Cdiv%20style%3Dbackground%3Ablue%3Bheight%3A30px%3E%3C%2Fdiv%3E%22%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
Brent Fulgham
This is fixed when the XSS Auditor is removed (Bug 230499).
*** This bug has been marked as a duplicate of bug 230499 ***