Bug 66579
| Summary: | [meta] XSSAuditor should have fewer false negatives | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Barth <abarth> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | bfulgham, dbates |
| Priority: | P2 | Keywords: | XSSAuditor |
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | 27895, 29278, 66580, 66585, 66588, 66850, 67091, 67134, 68094, 68281, 70255 | ||
| Bug Blocks: | |||
Adam Barth
Currently the XSSAuditor has very few false positives, but it does have a number of false negatives. False negatives a problematic because they let attackers bypass the filter, negating some of its security benefits. False positives fall into two categories:
1) Tricky injections into in-scope injection contexts.
2) Injections into out-of-scope injection contexts.
Whether an injection context is in-scope is somewhat of an arbitrary distinction, but we should aim to tackle all the tricky injection vectors for the in-scope injection contexts before we expand to consider more contexts in-scope. This approach puts us on a path to eliminating all the attack vectors for a given set of vulnerabilities rather than catching some, but not all, the attack vectors for a large number of vulnerabilities.
Let's use this bug as a meta bug for Type 1 vulnerabilities (which will appear as blocking this bug).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Brent Fulgham
The XSS Auditor is removed in Bug 230499.