Bug 54590

Summary: Fix xssAuditor/form-action.html
Product: WebKit Reporter: Adam Barth <abarth>
Component: New BugsAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, dbates, eric
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: OS X 10.5   
Attachments:
Description Flags
Patch none

Adam Barth
Reported 2011-02-16 14:47:36 PST
Fix xssAuditor/form-action.html
Attachments
Patch (3.77 KB, patch)
2011-02-16 14:49 PST, Adam Barth
no flags
Adam Barth
Comment 1 2011-02-16 14:49:06 PST
Eric Seidel (no email)
Comment 2 2011-02-16 14:51:53 PST
Comment on attachment 82703 [details] Patch That diff looks strange due to the file previously being empty. But looks good.
WebKit Commit Bot
Comment 3 2011-02-16 20:01:14 PST
Comment on attachment 82703 [details] Patch Clearing flags on attachment: 82703 Committed r78780: <http://trac.webkit.org/changeset/78780>
WebKit Commit Bot
Comment 4 2011-02-16 20:01:19 PST
All reviewed patches have been landed. Closing bug.
Alexey Proskuryakov
Comment 5 2011-02-17 10:54:55 PST
+ We should block form actions. Although this technically can't be used + to run script, it's a pretty easy vector for stealing passwords. Doesn't the error message get too confusing then? +CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
Adam Barth
Comment 6 2011-02-17 12:28:36 PST
Yep. We should tailor the error message to what was blocked.
Note You need to log in before you can comment on or make changes to this bug.