Bug 33419

Summary: [XSSAuditor] Add XSSAuditor support to Qt DRT
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebKit QtAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, abecsi, arabelo, commit-queue, diegohcg, eric, hausmann, kenneth, sam, tonikitoo, zoltan
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 33420    
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Daniel Bates 2010-01-08 22:50:38 PST
We should add support for the XSSAuditor to the Qt DRT.
Comment 1 Daniel Bates 2010-01-08 22:55:53 PST
Created attachment 46197 [details]
Patch
Comment 2 Daniel Bates 2010-01-08 22:58:41 PST
Created attachment 46198 [details]
Patch
Comment 3 Adam Barth 2010-01-08 23:02:35 PST
Comment on attachment 46198 [details]
Patch

yes
Comment 4 Simon Hausmann 2010-01-09 01:34:03 PST
Thanks Daniel for the patch!

I realize we also need to document in the API docs what exactly the XSSAuditorEnabled setting does. I'll spin off a separate bug.
Comment 5 Daniel Bates 2010-01-09 16:40:49 PST
Committed r53044: <http://trac.webkit.org/changeset/53044>
Comment 6 Daniel Bates 2010-01-09 19:21:34 PST
Need to look into why, even with this change, the XSSAuditor tests failed on the Qt bot.

At first we thought that only a few XSSAuditor tests were failing (see bug #33440), so we skipped them (http://trac.webkit.org/changeset/53045).

However, this did not resolve the issue and more XSSAuditor tests were failing. So, we decided to roll out this patch.

Hence, we rolled out the changes committed in change sets 53045 and 53044 (in that order) in <http://trac.webkit.org/changeset/53047> and <http://trac.webkit.org/changeset/53048>, respectively.

Strangely, with this patch applied, all XSSAuditor tests passed on my Ubuntu Qt build (r52685).
Comment 7 Robert Hogan 2010-01-10 09:25:09 PST
Created attachment 46234 [details]
Patch

Support for XSSAuditor needs to set both the global and page settings so that pages opened from the test inherit the setting. This is required for at least one test (open-in-new-window.html). It also means that the XSSAuditor should not be set in the WebPage constructor.

I'm not sure if the failures experienced on the buildbot were related.
Comment 8 Adam Barth 2010-01-10 10:29:29 PST
Comment on attachment 46234 [details]
Patch

Ok.  It's strange that the Qt DRT has two levels of settings while the other ones have one, but that's an issue for another day.
Comment 9 Daniel Bates 2010-01-10 10:39:40 PST
Thank you Robert.
Comment 10 WebKit Commit Bot 2010-01-10 20:09:09 PST
Comment on attachment 46234 [details]
Patch

Clearing flags on attachment: 46234

Committed r53060: <http://trac.webkit.org/changeset/53060>
Comment 11 WebKit Commit Bot 2010-01-10 20:09:17 PST
All reviewed patches have been landed.  Closing bug.
Comment 12 Eric Seidel (no email) 2010-01-10 21:22:05 PST
This caused Qt to start failing.  Bug 33460.  I'm going to roll this out unless I hear otherwise.
Comment 13 Daniel Bates 2010-01-10 23:00:15 PST
(In reply to comment #12)
> This caused Qt to start failing.  Bug 33460.  I'm going to roll this out unless
> I hear otherwise.

Spoke with Eric on IRC today (01/10/2010). Decided to add failing test http/tests/security/xssAuditor/malformed-HTML.html to Qt Skipped file for now. See bug #33460 for more details.