Bug 66579

Summary: [meta] XSSAuditor should have fewer false negatives
Product: WebKit Reporter: Adam Barth <abarth@webkit.org>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned@lists.webkit.org>
Status: NEW    
Severity: Normal CC: dbates@webkit.org
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 27895, 29278, 66580, 66585, 66588, 66850, 67091, 67134, 68094, 68281, 70255    
Bug Blocks:    

Description From 2011-08-19 13:26:50 PST
Currently the XSSAuditor has very few false positives, but it does have a number of false negatives.  False negatives a problematic because they let attackers bypass the filter, negating some of its security benefits.  False positives fall into two categories:

1) Tricky injections into in-scope injection contexts.
2) Injections into out-of-scope injection contexts.

Whether an injection context is in-scope is somewhat of an arbitrary distinction, but we should aim to tackle all the tricky injection vectors for the in-scope injection contexts before we expand to consider more contexts in-scope.  This approach puts us on a path to eliminating all the attack vectors for a given set of vulnerabilities rather than catching some, but not all, the attack vectors for a large number of vulnerabilities.

Let's use this bug as a meta bug for Type 1 vulnerabilities (which will appear as blocking this bug).