Bug 30352 - [XSSAuditor] Add an exception for same-origin scripts
Summary: [XSSAuditor] Add an exception for same-origin scripts
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Adam Barth
Depends on:
Reported: 2009-10-14 04:12 PDT by eduardo vela
Modified: 2009-10-14 19:14 PDT (History)
3 users (show)

See Also:

Patch v1 (5.67 KB, patch)
2009-10-14 08:47 PDT, Adam Barth
darin: review+
abarth: commit-queue-
Details | Formatted Diff | Diff
patch without extra space (5.66 KB, patch)
2009-10-14 18:54 PDT, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description eduardo vela 2009-10-14 04:12:11 PDT
I think something else can be done for XSSAuditor..
could it be an exception to src attributes on <script> tags if the URL is
in the same domain and is a single file with no querystring?

Something like:

<script type="text/javascript" src="/acs.js"></script>

Shouldn't be disabled by an attacker doing:

http://victim.com/?disable_script=<script type="text/javascript" src="/acs.js"></script>

The part where I say "with no querystring" is that we shouldnt allow:

<script type="text/javascript" src="/index.php?asdf=asdf&asdf=asdf"></script>

Since in some weeeird cases that may be a vulnerability (its very dangerous anyway, since if you can make valid JS, you could probably make valid XML and load a crossdomain file for flash).. anyway, to be sure, only adding the exception for "/acs.js" should be safe.

I ask this since if a user is already able to modify the content of a file in the same domain then he can probably make a XSS directly anyway.. and if it's not done this way, the attack of disabling essential scripts for the page will be difficult.

This should reduce in some degree the attack scenario where an attacker disable scripts on the guest page.. also this should increase compatibility..

Test case:

Comment 1 Adam Barth 2009-10-14 08:08:20 PDT
Building / testing a patch now.
Comment 2 Adam Barth 2009-10-14 08:47:07 PDT
Created attachment 41162 [details]
Patch v1
Comment 3 Darin Adler 2009-10-14 14:21:31 PDT
Comment on attachment 41162 [details]
Patch v1

I don't understand the relationship of this patch with the bug title.

Otherwise, it seems fine.

> +    // script.  If the script has a query string, we're more suspicious,

We use one space after a period, not two.

Comment 4 Adam Barth 2009-10-14 18:54:00 PDT
Created attachment 41199 [details]
patch without extra space

Landing via commit-queue because my box is busy building / testing another patch.
Comment 5 WebKit Commit Bot 2009-10-14 19:14:34 PDT
Comment on attachment 41199 [details]
patch without extra space

Clearing flags on attachment: 41199

Committed r49605: <http://trac.webkit.org/changeset/49605>
Comment 6 WebKit Commit Bot 2009-10-14 19:14:39 PDT
All reviewed patches have been landed.  Closing bug.