Bug 68515

Summary: http/tests/security/cross-origin-xsl-redirect-BLOCKED.html fails on several platforms
Product: WebKit Reporter: Gabor Rapcsanyi <rgabor>
Component: Tools / TestsAssignee: jochen
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ap, jochen, ossy, pnormand
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Gabor Rapcsanyi
Reported 2011-09-21 02:42:42 PDT
http/tests/security/cross-origin-xsl-redirect-BLOCKED.html introduced in http://trac.webkit.org/changeset/95580. but fail on Qt-WK2 platfrom. diff: --- /ramdisk/qt-linux-32-release-webkit2/build/layout-test-results/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt +++ /ramdisk/qt-linux-32-release-webkit2/build/layout-test-results/http/tests/security/cross-origin-xsl-redirect-BLOCKED-actual.txt @@ -2,3 +2,7 @@ This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below is blank. + +-------- +Frame: 'uses-xsl' +--------
Attachments
Patch (15.97 KB, patch)
2011-09-21 05:51 PDT, jochen 		no flags
DetailsFormatted DiffDiff
Patch (17.87 KB, patch)
2011-09-21 06:25 PDT, jochen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
jochen
Comment 1 2011-09-21 05:51:05 PDT
Created attachment 108138 [details] Patch
jochen
Comment 2 2011-09-21 06:25:38 PDT
Created attachment 108141 [details] Patch
jochen
Comment 3 2011-09-21 06:33:22 PDT
Committed r95622: <http://trac.webkit.org/changeset/95622>
Alexey Proskuryakov
Comment 4 2011-09-21 11:29:22 PDT
What bug(s) track the failures? You seem to be saying that WebKit2 has a security problem here - we need a security bug to track that.
jochen
Comment 5 2011-09-21 12:41:03 PDT
(In reply to comment #4) > What bug(s) track the failures? You seem to be saying that WebKit2 has a security problem here - we need a security bug to track that. sorry, the description is misleading. The tests don't fail, but the different platforms all produce slightly different output. regular chromium mac/win have an additional empty line, wk2 and other ports print the the frame tries to use xsl. all in all, it's a bit messy for a seemingly simple layout test :( correct baselines for all platforms should have been landed meanwhile
Alexey Proskuryakov
Comment 6 2011-09-21 12:43:55 PDT
Ok, so the "Frame: 'uses-xsl'" output is considered as a blank "PASS", correct? It's indeed rather difficult to verify that this result is a pass by looking at it.
Alexey Proskuryakov
Comment 7 2011-09-21 12:45:10 PDT
"uses-xsl" in printed output sounds like a claim that XSL was used, which would be a failure.
jochen
Comment 8 2011-09-21 12:52:06 PDT
(In reply to comment #7) > "uses-xsl" in printed output sounds like a claim that XSL was used, which would be a failure. uses-xsl is the name of the frame (see the html file) if the xsl was executed, it should print FAIL: Forbidden XML stylesheet did run.
Adam Barth
Comment 9 2011-09-21 12:59:46 PDT
The test says: "This test passes if the iframe below is blank." That seems pretty unambiguous.
Alexey Proskuryakov
Comment 10 2011-09-21 13:43:01 PDT
> uses-xsl is the name of the frame (see the html file) Yes, I certainly understand what it is now. What I'm talking about is how to avoid this sort of confusion for others. It's desirable to make test output exceedingly obvious. You can find some useful ideas in <http://www.w3.org/Style/CSS/Test/guidelines.html>, for example. I think that the test can be made clearer by changing iframe name, making it obvious that it has nothing to do with result.
Adam Barth
Comment 11 2011-09-21 13:54:37 PDT
That sounds like a good idea. We've had trouble testing these XSLT security properties in the past too because the success case is often that nothing renders at all (i.e., the style sheet correct fails to load, which triggers XML's strict error handling).
jochen
Comment 12 2011-09-22 07:21:57 PDT
(In reply to comment #11) > That sounds like a good idea. We've had trouble testing these XSLT security properties in the past too because the success case is often that nothing renders at all (i.e., the style sheet correct fails to load, which triggers XML's strict error handling). What about: This test passes if the iframe below does not contain a message starting with "FAIL"?
Adam Barth
Comment 13 2011-09-22 08:13:35 PDT
> What about: This test passes if the iframe below does not contain a message starting with "FAIL"? Sure. It might also be helpful to rename the frame if that's easy to do.
jochen
Comment 14 2011-09-23 02:40:20 PDT
(In reply to comment #13) > > What about: This test passes if the iframe below does not contain a message starting with "FAIL"? > > Sure. It might also be helpful to rename the frame if that's easy to do. I've uploaded a CL for this in bug 68683
Note You need to log in before you can comment on or make changes to this bug.