Bug 31098

Summary: [XSSAuditor] Allow scripts and plug-ins from the same origin
Product: WebKit Reporter: Adam Barth <abarth>
Component: WebCore JavaScriptAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: dbates, eric, sam
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch with test case abarth: review+, commit-queue: commit-queue-

Adam Barth
Reported 2009-11-03 21:41:48 PST
I got a report today of a false positive with the XSSAuditor involving loading a SWF from a relative URL supplied in a request parameter. We can eliminate this false positive by always allowing same-origin loads of scripts and plug-ins. That should be pretty safe.
Attachments
Patch with test case (7.47 KB, patch)
2009-11-08 15:26 PST, Daniel Bates 		abarth: review+
commit-queue: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-11-04 13:58:02 PST
Adam, did you want to look into this? Otherwise, I can.
Adam Barth
Comment 2 2009-11-04 16:54:52 PST
If you could look into this, that would be great. We want to do something similar to what we do for the base tag.
Daniel Bates
Comment 3 2009-11-08 15:26:54 PST
Created attachment 42721 [details] Patch with test case Since XSSAuditor::canLoadExternalScriptFromSrc, XSSAuditor::canLoadObject, and XSSAuditor::canSetBaseElementURL should all allow same-origin loads, I defined a new method XSSAuditor::isSameOriginResource, as opposed to inlining the same-origin check.
Adam Barth
Comment 4 2009-11-08 16:27:17 PST
Comment on attachment 42721 [details] Patch with test case Precisely.
WebKit Commit Bot
Comment 5 2009-11-08 16:39:10 PST
Comment on attachment 42721 [details] Patch with test case Rejecting patch 42721 from commit-queue. Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--quiet', '--exit-after-n-failures=1']" exit_code: 1 Running build-dumprendertree Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests Testing 11577 test cases. http/tests/security/xssAuditor/object-src-inject.html -> failed Exiting early after 1 failures. 9065 tests run. 257.04s total testing time 9064 test cases (99%) succeeded 1 test case (<1%) had incorrect layout 5 test cases (<1%) had stderr output
Adam Barth
Comment 6 2009-11-08 16:44:57 PST
Dan, I think you'll have to land this manually because of the executable bit.
Daniel Bates
Comment 7 2009-11-08 16:50:00 PST
OK. Will do. (In reply to comment #6) > Dan, I think you'll have to land this manually because of the executable bit.
Daniel Bates
Comment 8 2009-11-08 17:18:41 PST
Committed r50631: <http://trac.webkit.org/changeset/50631>
Eric Seidel (no email)
Comment 9 2009-11-09 12:33:22 PST
svn-apply bug is bug 27204.
Note You need to log in before you can comment on or make changes to this bug.