Bug 60489

Summary: XSSAuditor should be more selective about the <meta http-equivs> that it blocks
Product: WebKit Reporter: Adam Barth <abarth>
Component: New BugsAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, dbates, eric
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing
none
Patch for landing none

Adam Barth
Reported 2011-05-09 11:48:28 PDT
XSSAuditor should be more selective about the <meta http-equivs> that it blocks
Attachments
Patch (5.17 KB, patch)
2011-05-09 11:52 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch for landing (5.44 KB, patch)
2011-05-09 12:03 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch for landing (6.84 KB, patch)
2011-05-09 12:25 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-05-09 11:52:37 PDT
Created attachment 92815 [details] Patch
Daniel Bates
Comment 2 2011-05-09 12:00:07 PDT
Comment on attachment 92815 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=92815&action=review > Source/WebCore/ChangeLog:28 > + (WebCore::isNonCanonicalCharacter): > + (WebCore::canonicalize): > + (WebCore::isRequiredForInjection): > + (WebCore::hasName): > + (WebCore::findAttributeWithName): > + (WebCore::isNameOfInlineEventHandler): > + (WebCore::isDangerousHTTPEquiv): > + (WebCore::containsJavaScriptURL): > + (WebCore::decodeURL): > + (WebCore::XSSFilter::eraseAttributeIfInjected): Most of the changes to these methods is because this patch moves them from being in an anonymous namespace to being static functions. So, as to demarcate the syntactic change from the actual change for this bug I suggest adding a remark to the right of isDangerousHTTPEquiv to mention that it was added and add some sort of remark to the other functions (or general sentence to the commit message) to describe the syntactic changes. Alternatively, you could split this into two patches/bugs. One to move the methods from being in an anonymous namespace to being static functions. And one patch/bug to actually make the change described in this bug.
Daniel Bates
Comment 3 2011-05-09 12:01:16 PDT
Comment on attachment 92815 [details] Patch Also, can we test this change?
Adam Barth
Comment 4 2011-05-09 12:03:04 PDT
Created attachment 92821 [details] Patch for landing
Adam Barth
Comment 5 2011-05-09 12:03:34 PDT
Comment on attachment 92821 [details] Patch for landing Updated patch. Eric and I were discussing how and whether we want a test for this patch.
Adam Barth
Comment 6 2011-05-09 12:25:06 PDT
Created attachment 92826 [details] Patch for landing
WebKit Commit Bot
Comment 7 2011-05-09 14:20:32 PDT
Comment on attachment 92826 [details] Patch for landing Clearing flags on attachment: 92826 Committed r86087: <http://trac.webkit.org/changeset/86087>
WebKit Commit Bot
Comment 8 2011-05-09 14:20:38 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.