Bug 27189

Summary: r45752+ nightly: @import css generates wrong path
Product: WebKit Reporter: Kevin M. Dean <kevin>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: abarth, dbates, john, mjs, simon
Priority: P2 Keywords: Regression, XSSAuditor
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
URL: http://forum.dvdtalk.com/forum-feedback-support-4/
Attachments:
Description Flags
Patch with test darin: review+

Kevin M. Dean
Reported 2009-07-11 22:26:41 PDT
The forum's on the site load a css from: @import url("clientscript/vbulletin_css/style-bbed93be-00019.css"); r45752+ generates a file not found and the css doesn't render when it tries to load the path: http://forum.dvdtalk.com/forum-feedback-support-4/clientscript/vbulletin_css/style-bbed93be-00019.css r45702 and earlier does render correctly and looks for the path: http://forum.dvdtalk.com/clientscript/vbulletin_css/style-bbed93be-00019.css
Attachments
Patch with test (4.20 KB, patch)
2009-07-12 12:36 PDT, Daniel Bates
darin: review+
Mark Rowe (bdash)
Comment 1 2009-07-12 10:52:34 PDT
Sounds like it could be another XSS auditor issue: > Refused to execute a JavaScript script. Source code of script found within request It'd be great if these errors mentioned the URL that they relate to.
Daniel Bates
Comment 2 2009-07-12 11:46:45 PDT
This issue is triggered because of the HTML Base element: <base href="http://forum.dvdtalk.com/" /> XSSAuditor thinks this is an attack because the URL of the Base element appears in the URL of the page (say http://forum.dvdtalk.com/dvd-talk-3/). A check in XSSAuditor::canSetBaseElementURL (line: m_frame->document()->url().baseAsString() != baseElementURL.baseAsString()) is insufficient. Working on patch. (In reply to comment #0) > The forum's on the site load a css from: > > @import url("clientscript/vbulletin_css/style-bbed93be-00019.css"); > > r45752+ generates a file not found and the css doesn't render when it tries to > load the path: > > http://forum.dvdtalk.com/forum-feedback-support-4/clientscript/vbulletin_css/style-bbed93be-00019.css > > r45702 and earlier does render correctly and looks for the path: > > http://forum.dvdtalk.com/clientscript/vbulletin_css/style-bbed93be-00019.css
Daniel Bates
Comment 3 2009-07-12 12:36:10 PDT
Created attachment 32631 [details] Patch with test
Daniel Bates
Comment 4 2009-07-12 13:13:48 PDT
*** Bug 27185 has been marked as a duplicate of this bug. ***
Daniel Bates
Comment 5 2009-07-12 14:45:30 PDT
*** Bug 27194 has been marked as a duplicate of this bug. ***
Adam Barth
Comment 6 2009-07-12 14:46:54 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/base-href-safe3-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/base-href-safe3.html Adding LayoutTests/http/tests/security/xssAuditor/resources/base-href/base-href-safe3.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Transmitting file data ...... Committed revision 45763. http://trac.webkit.org/changeset/45763
Note You need to log in before you can comment on or make changes to this bug.