Summary: | [XSSAuditor] Allow scripts and plug-ins from the same origin | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Adam Barth <abarth> | ||||
Component: | WebCore JavaScript | Assignee: | Daniel Bates <dbates> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | dbates, eric, sam | ||||
Priority: | P2 | Keywords: | XSSAuditor | ||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Attachments: |
|
Description
Adam Barth
2009-11-03 21:41:48 PST
Adam, did you want to look into this? Otherwise, I can. If you could look into this, that would be great. We want to do something similar to what we do for the base tag. Created attachment 42721 [details]
Patch with test case
Since XSSAuditor::canLoadExternalScriptFromSrc, XSSAuditor::canLoadObject, and XSSAuditor::canSetBaseElementURL should all allow same-origin loads, I defined a new method XSSAuditor::isSameOriginResource, as opposed to inlining the same-origin check.
Comment on attachment 42721 [details]
Patch with test case
Precisely.
Comment on attachment 42721 [details]
Patch with test case
Rejecting patch 42721 from commit-queue.
Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--quiet', '--exit-after-n-failures=1']" exit_code: 1
Running build-dumprendertree
Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests
Testing 11577 test cases.
http/tests/security/xssAuditor/object-src-inject.html -> failed
Exiting early after 1 failures. 9065 tests run.
257.04s total testing time
9064 test cases (99%) succeeded
1 test case (<1%) had incorrect layout
5 test cases (<1%) had stderr output
Dan, I think you'll have to land this manually because of the executable bit. OK. Will do. (In reply to comment #6) > Dan, I think you'll have to land this manually because of the executable bit. Committed r50631: <http://trac.webkit.org/changeset/50631> |