Bug 27639

Summary: XSS Auditor interferes with -[WebView stringByEvaluatingJavaScriptFromString:]
Product: WebKit Reporter: Mark Rowe (bdash) <mrowe>
Component: WebCore Misc.Assignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dbates
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
Patch to check that canonicalString is not empty
none
Patch with test none

Mark Rowe (bdash)
Reported 2009-07-23 22:36:43 PDT
I tracked down an assertion failure in DumpRenderTree this afternoon that is caused by the XSS auditor causing the following API invocation to fail: [webView stringByEvaluatingJavaScriptFromString:@"0"]; With the XSS auditor enabled, this returns the empty string rather than "0" as expected. This was being tripped over by DumpRenderTree on machines that had never run the layout tests before due to the default preferences being incorrectly configured (<http://trac.webkit.org/changeset/46304>), but it seems undesirable for the XSS auditor to have any effect on these sorts of APIs.
Attachments
Patch to check that canonicalString is not empty (1.85 KB, patch)
2009-07-24 11:52 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch with test (3.48 KB, patch)
2009-07-24 12:52 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2009-07-23 22:41:50 PDT
We should actually do two things here: 1) If the canonical string is empty, we should allow the script. 2) We should white list the API to never be blocked.
Adam Barth
Comment 2 2009-07-24 02:26:44 PDT
Assigned to myself to resolution in the morning.
Daniel Bates
Comment 3 2009-07-24 11:52:00 PDT
Created attachment 33457 [details] Patch to check that canonicalString is not empty This patch does not include the white list functionality.
Adam Barth
Comment 4 2009-07-24 12:27:54 PDT
Comment on attachment 33457 [details] Patch to check that canonicalString is not empty Thank. We just need a test. :)
Adam Barth
Comment 5 2009-07-24 12:27:56 PDT
Comment on attachment 33457 [details] Patch to check that canonicalString is not empty Thanks. We just need a test. :)
Daniel Bates
Comment 6 2009-07-24 12:52:21 PDT
Created attachment 33464 [details] Patch with test Added test.
Mark Rowe (bdash)
Comment 7 2009-07-24 13:02:52 PDT
Comment on attachment 33464 [details] Patch with test Do we also plan on adding a more explicit mechanism for preventing legitimate JavaScript-related WebKit API calls from being touched by the XSS auditor?
Adam Barth
Comment 8 2009-07-24 13:02:54 PDT
Comment on attachment 33464 [details] Patch with test A patch of beauty.
Adam Barth
Comment 9 2009-07-24 13:03:48 PDT
(In reply to comment #7) > (From update of attachment 33464 [details]) > Do we also plan on adding a more explicit mechanism for preventing legitimate > JavaScript-related WebKit API calls from being touched by the XSS auditor? Yes. We also want to do this patch and it's easier.
Daniel Bates
Comment 10 2009-07-24 13:09:51 PDT
I have not looked into this, but we may need to be mindful of plugins which use the API to evaluate JavaScript scripts. In which case, we wouldn't want to disable the filter. (In reply to comment #9) > (In reply to comment #7) > > (From update of attachment 33464 [details] [details]) > > Do we also plan on adding a more explicit mechanism for preventing legitimate > > JavaScript-related WebKit API calls from being touched by the XSS auditor? > > Yes. We also want to do this patch and it's easier.
Adam Barth
Comment 11 2009-07-24 13:13:16 PDT
(In reply to comment #10) > I have not looked into this, but we may need to be mindful of plugins which use > the API to evaluate JavaScript scripts. In which case, we wouldn't want to > disable the filter. We should look at all the clients of evaluateScript and think about whether they need XSS filtering.
Adam Barth
Comment 12 2009-07-24 13:59:56 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/http/tests/security/xssAuditor/script-tag-safe-expected.txt A LayoutTests/http/tests/security/xssAuditor/script-tag-safe.html M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp Committed r46372 M WebCore/ChangeLog M WebCore/page/XSSAuditor.cpp A LayoutTests/http/tests/security/xssAuditor/script-tag-safe-expected.txt A LayoutTests/http/tests/security/xssAuditor/script-tag-safe.html M LayoutTests/ChangeLog r46372 = 20701f1ff156a5bec23db64671d4cd7556a2cde8 (trunk) No changes between current HEAD and refs/remotes/trunk Resetting to the latest refs/remotes/trunk http://trac.webkit.org/changeset/46372
Adam Barth
Comment 13 2009-07-24 14:41:12 PDT
I think we should keep this bug open to do the whitelisting part. (Or we could file another bug, I guess.)
Adam Barth
Comment 14 2009-07-24 14:41:31 PDT
Comment on attachment 33464 [details] Patch with test Removing from commit queue.
Adam Barth
Comment 15 2011-05-27 16:49:45 PDT
I'd be surprised of this was still an issue given the new XSS auditor design. If there's something to fix here, please re-open with an example! Thx.
Note You need to log in before you can comment on or make changes to this bug.