Summary: | http/tests/security/cross-origin-xsl-redirect-BLOCKED.html fails on several platforms | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Gabor Rapcsanyi <rgabor> | ||||||
Component: | Tools / Tests | Assignee: | jochen | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | abarth, ap, jochen, ossy, pnormand | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Gabor Rapcsanyi
2011-09-21 02:42:42 PDT
Created attachment 108138 [details]
Patch
Created attachment 108141 [details]
Patch
Committed r95622: <http://trac.webkit.org/changeset/95622> What bug(s) track the failures? You seem to be saying that WebKit2 has a security problem here - we need a security bug to track that. (In reply to comment #4) > What bug(s) track the failures? You seem to be saying that WebKit2 has a security problem here - we need a security bug to track that. sorry, the description is misleading. The tests don't fail, but the different platforms all produce slightly different output. regular chromium mac/win have an additional empty line, wk2 and other ports print the the frame tries to use xsl. all in all, it's a bit messy for a seemingly simple layout test :( correct baselines for all platforms should have been landed meanwhile Ok, so the "Frame: 'uses-xsl'" output is considered as a blank "PASS", correct? It's indeed rather difficult to verify that this result is a pass by looking at it. "uses-xsl" in printed output sounds like a claim that XSL was used, which would be a failure. (In reply to comment #7) > "uses-xsl" in printed output sounds like a claim that XSL was used, which would be a failure. uses-xsl is the name of the frame (see the html file) if the xsl was executed, it should print FAIL: Forbidden XML stylesheet did run. The test says: "This test passes if the iframe below is blank." That seems pretty unambiguous. > uses-xsl is the name of the frame (see the html file) Yes, I certainly understand what it is now. What I'm talking about is how to avoid this sort of confusion for others. It's desirable to make test output exceedingly obvious. You can find some useful ideas in <http://www.w3.org/Style/CSS/Test/guidelines.html>, for example. I think that the test can be made clearer by changing iframe name, making it obvious that it has nothing to do with result. That sounds like a good idea. We've had trouble testing these XSLT security properties in the past too because the success case is often that nothing renders at all (i.e., the style sheet correct fails to load, which triggers XML's strict error handling). (In reply to comment #11) > That sounds like a good idea. We've had trouble testing these XSLT security properties in the past too because the success case is often that nothing renders at all (i.e., the style sheet correct fails to load, which triggers XML's strict error handling). What about: This test passes if the iframe below does not contain a message starting with "FAIL"? > What about: This test passes if the iframe below does not contain a message starting with "FAIL"?
Sure. It might also be helpful to rename the frame if that's easy to do.
(In reply to comment #13) > > What about: This test passes if the iframe below does not contain a message starting with "FAIL"? > > Sure. It might also be helpful to rename the frame if that's easy to do. I've uploaded a CL for this in bug 68683 |