|Summary:||[XSSAuditor] Allow scripts and plug-ins from the same origin|
|Product:||WebKit||Reporter:||Adam Barth <abarth>|
|Severity:||Normal||CC:||dbates, eric, sam|
|Version:||528+ (Nightly build)|
Description Adam Barth 2009-11-03 21:41:48 PST
I got a report today of a false positive with the XSSAuditor involving loading a SWF from a relative URL supplied in a request parameter. We can eliminate this false positive by always allowing same-origin loads of scripts and plug-ins. That should be pretty safe.
Comment 1 Daniel Bates 2009-11-04 13:58:02 PST
Adam, did you want to look into this? Otherwise, I can.
Comment 2 Adam Barth 2009-11-04 16:54:52 PST
If you could look into this, that would be great. We want to do something similar to what we do for the base tag.
Comment 3 Daniel Bates 2009-11-08 15:26:54 PST
Created attachment 42721 [details] Patch with test case Since XSSAuditor::canLoadExternalScriptFromSrc, XSSAuditor::canLoadObject, and XSSAuditor::canSetBaseElementURL should all allow same-origin loads, I defined a new method XSSAuditor::isSameOriginResource, as opposed to inlining the same-origin check.
Comment 4 Adam Barth 2009-11-08 16:27:17 PST
Comment on attachment 42721 [details] Patch with test case Precisely.
Comment 5 WebKit Commit Bot 2009-11-08 16:39:10 PST
Comment on attachment 42721 [details] Patch with test case Rejecting patch 42721 from commit-queue. Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--quiet', '--exit-after-n-failures=1']" exit_code: 1 Running build-dumprendertree Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests Testing 11577 test cases. http/tests/security/xssAuditor/object-src-inject.html -> failed Exiting early after 1 failures. 9065 tests run. 257.04s total testing time 9064 test cases (99%) succeeded 1 test case (<1%) had incorrect layout 5 test cases (<1%) had stderr output
Comment 6 Adam Barth 2009-11-08 16:44:57 PST
Dan, I think you'll have to land this manually because of the executable bit.
Comment 7 Daniel Bates 2009-11-08 16:50:00 PST
OK. Will do. (In reply to comment #6) > Dan, I think you'll have to land this manually because of the executable bit.
Comment 8 Daniel Bates 2009-11-08 17:18:41 PST
Committed r50631: <http://trac.webkit.org/changeset/50631>