Bug 32570
| Summary: | XSSAuditor breaks Gigya widgets | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Collin Jackson <collinj> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | abarth, dbates |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | OS X 10.5 | ||
| URL: | http://bit.ly/4BFjGc | ||
Collin Jackson
Gigya is widget advertising network. Their server takes a query parameter
src=http://apps.cooliris.com/embed/cooliris.swf...
and replies with
<embed src="http://apps.cooliris.com/embed/cooliris.swf" ...
XSSAuditor blocks this. Gigya appears to be using some sort of hash to validate the query parameters so this is probably a false positive.
I'm not sure how to fix it in WebKit other than allowing direct injections into the src attribute of an embed tag. Another option is to respect X-XSS-Protection (bug 27312) and then Gigya can opt out of XSSAuditor. We could also ask Gigya to obfuscate their query parameters to sneak pass XSSAuditor.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adam Barth
I bet this is fixed now. Can we re-test?
Collin Jackson
Verified fixed in the latest WebKit nightly (r52686).
Test URL: http://mturner.wordpress.com/2009/12/08/cooliris-express-bringing-the-wall-to-your-website/
I believe Adam fixed this in r52532. There is a regression test so we should be all set.