Bug 68515

Summary: http/tests/security/cross-origin-xsl-redirect-BLOCKED.html fails on several platforms
Product: WebKit Reporter: Gabor Rapcsanyi <rgabor>
Component: Tools / TestsAssignee: jochen
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, jochen, ossy, pnormand
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Gabor Rapcsanyi 2011-09-21 02:42:42 PDT
http/tests/security/cross-origin-xsl-redirect-BLOCKED.html introduced in http://trac.webkit.org/changeset/95580.
but fail on Qt-WK2 platfrom. diff:

--- /ramdisk/qt-linux-32-release-webkit2/build/layout-test-results/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt 
+++ /ramdisk/qt-linux-32-release-webkit2/build/layout-test-results/http/tests/security/cross-origin-xsl-redirect-BLOCKED-actual.txt 
@@ -2,3 +2,7 @@
 
 This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below is blank.
 
+
+--------
+Frame: 'uses-xsl'
+--------
Comment 1 jochen 2011-09-21 05:51:05 PDT
Created attachment 108138 [details]
Patch
Comment 2 jochen 2011-09-21 06:25:38 PDT
Created attachment 108141 [details]
Patch
Comment 3 jochen 2011-09-21 06:33:22 PDT
Committed r95622: <http://trac.webkit.org/changeset/95622>
Comment 4 Alexey Proskuryakov 2011-09-21 11:29:22 PDT
What bug(s) track the failures? You seem to be saying that WebKit2 has a security problem here - we need a security bug to track that.
Comment 5 jochen 2011-09-21 12:41:03 PDT
(In reply to comment #4)
> What bug(s) track the failures? You seem to be saying that WebKit2 has a security problem here - we need a security bug to track that.

sorry, the description is misleading. The tests don't fail, but the different platforms all produce slightly different output. regular chromium mac/win have an additional empty line, wk2 and other ports print the the frame tries to use xsl.

all in all, it's a bit messy for a seemingly simple layout test :(

correct baselines for all platforms should have been landed meanwhile
Comment 6 Alexey Proskuryakov 2011-09-21 12:43:55 PDT
Ok, so the "Frame: 'uses-xsl'" output is considered as a blank "PASS", correct?

It's indeed rather difficult to verify that this result is a pass by looking at it.
Comment 7 Alexey Proskuryakov 2011-09-21 12:45:10 PDT
"uses-xsl" in printed output sounds like a claim that XSL was used, which would be a failure.
Comment 8 jochen 2011-09-21 12:52:06 PDT
(In reply to comment #7)
> "uses-xsl" in printed output sounds like a claim that XSL was used, which would be a failure.

uses-xsl is the name of the frame (see the html file)

if the xsl was executed, it should print FAIL: Forbidden XML stylesheet did run.
Comment 9 Adam Barth 2011-09-21 12:59:46 PDT
The test says:

"This test passes if the iframe below is blank."

That seems pretty unambiguous.
Comment 10 Alexey Proskuryakov 2011-09-21 13:43:01 PDT
> uses-xsl is the name of the frame (see the html file)

Yes, I certainly understand what it is now. What I'm talking about is how to avoid this sort of confusion for others.

It's desirable to make test output exceedingly obvious. You can find some useful ideas in <http://www.w3.org/Style/CSS/Test/guidelines.html>, for example.

I think that the test can be made clearer by changing iframe name, making it obvious that it has nothing to do with result.
Comment 11 Adam Barth 2011-09-21 13:54:37 PDT
That sounds like a good idea.  We've had trouble testing these XSLT security properties in the past too because the success case is often that nothing renders at all (i.e., the style sheet correct fails to load, which triggers XML's strict error handling).
Comment 12 jochen 2011-09-22 07:21:57 PDT
(In reply to comment #11)
> That sounds like a good idea.  We've had trouble testing these XSLT security properties in the past too because the success case is often that nothing renders at all (i.e., the style sheet correct fails to load, which triggers XML's strict error handling).

What about: This test passes if the iframe below does not contain a message starting with "FAIL"?
Comment 13 Adam Barth 2011-09-22 08:13:35 PDT
> What about: This test passes if the iframe below does not contain a message starting with "FAIL"?

Sure.  It might also be helpful to rename the frame if that's easy to do.
Comment 14 jochen 2011-09-23 02:40:20 PDT
(In reply to comment #13)
> > What about: This test passes if the iframe below does not contain a message starting with "FAIL"?
> 
> Sure.  It might also be helpful to rename the frame if that's easy to do.

I've uploaded a CL for this in bug 68683