RESOLVED FIXED 27179
Facebook Chat is broken due to XSS auditor 
https://bugs.webkit.org/show_bug.cgi?id=27179
Summary Facebook Chat is broken due to XSS auditor
John Kieken
Reported 2009-07-11 11:09:35 PDT
PPC - OS 10.4.11 The latest build of Webkit (r45752) has broken Facebook Chat (Instant Messaging). Problem started only with the latest Webkit build (r45752) as of 7/11/09 1:04 PM 10 or 20 seconds after loading the page, Facebook Chat disconnects permanently and messages cannot be sent. Reloading the page reconnects chat but it again disconnects. No chat messages can be sent even before it disconnects. Not a local router/port/firewall issue as Firefox is working normally on same machine.
Attachments
Proposed test case (1.93 KB, patch)
2009-07-11 17:47 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
=Work in progress (6.47 KB, patch)
2009-07-11 17:54 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Almost done patch. Needs tests. (7.55 KB, patch)
2009-07-12 17:21 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
patch (14.50 KB, patch)
2009-07-12 20:04 PDT, Adam Barth 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-07-11 12:29:59 PDT
This is caused by the XSS auditor: > Refused to execute a JavaScript script. Source code of script found within request.
Adam Barth
Comment 2 2009-07-11 13:32:54 PDT
Ouch. I'll take a look at this.
Adam Barth
Comment 3 2009-07-11 15:55:36 PDT
The chat feature uses an iframe that echos a URL parameter in the src property of a script tag. The web site is not exploitable because the server validates the host name before echoing. Unfortunately, there is not obvious connection between the iframe's host name (blah.blah.facebook.com) and the script's host name (foo.bar.fbcdn.net, Facebook's CDN). I think the correct solution is to look for more of the token in the URL. In this case "<script" etc.
Daniel Bates
Comment 4 2009-07-11 17:47:10 PDT
Created attachment 32620 [details] Proposed test case A simple test case.
Adam Barth
Comment 5 2009-07-11 17:54:25 PDT
Created attachment 32621 [details] =Work in progress
Adam Barth
Comment 6 2009-07-11 17:58:36 PDT
I've got to go to dinner now, but here's my current work in progress patch. The idea is to grab a little more context from the tokenization prior to the URL and see if that shows up in the request.
Adam Barth
Comment 7 2009-07-12 17:21:18 PDT
Created attachment 32636 [details] Almost done patch. Needs tests.
Adam Barth
Comment 8 2009-07-12 20:04:49 PDT
Created attachment 32642 [details] patch
Oliver Hunt
Comment 9 2009-07-12 22:24:46 PDT
Comment on attachment 32642 [details] patch r=me
Adam Barth
Comment 10 2009-07-12 22:36:52 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/resources/echo-script-src.pl Adding LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-src-redirect-safe.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-double-quote.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-no-quote.html Sending WebCore/ChangeLog Sending WebCore/html/HTMLTokenizer.cpp Sending WebCore/html/HTMLTokenizer.h Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Transmitting file data ............. Committed revision 45787. http://trac.webkit.org/changeset/45787
Note You need to log in before you can comment on or make changes to this bug.