Bug 30418

Summary:	[XSSAuditor] http://www.apple.com/startpage fails to render properly
Product:	WebKit	Reporter:	Daniel Bates <dbates>
Component:	WebCore Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	abarth, sam
Priority:	P2	Keywords:	XSSAuditor
Version:	528+ (Nightly build)
Hardware:	All
OS:	All
URL:	http://www.apple.com/startpage

Daniel Bates

Reported 2009-10-15 17:35:17 PDT

The Apple start page fails to render properly because the XSSAuditor blocks loading content with respect to the specified HTML Base element. Notice the first seven characters of the src property of the HTML Base element is "http://" which is clearly in the page URL.

Attachments
Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2009-10-15 17:45:48 PDT

Frown. Let's revert the 7 character change while we think about these cases.

Daniel Bates

Comment 2 2009-10-15 17:54:45 PDT

This issue also effects XSSAuditor::canLoadObject, and XSSAuditor::canEvaluateJavaScriptURL.

Adam Barth

Comment 3 2009-10-15 23:40:33 PDT

Dan rolled out the offending patch.

Note You need to log in before you can comment on or make changes to this bug.