I think something else can be done for XSSAuditor.. could it be an exception to src attributes on <script> tags if the URL is in the same domain and is a single file with no querystring? Something like: <script type="text/javascript" src="/acs.js"></script> Shouldn't be disabled by an attacker doing: http://victim.com/?disable_script=<script type="text/javascript" src="/acs.js"></script> The part where I say "with no querystring" is that we shouldnt allow: <script type="text/javascript" src="/index.php?asdf=asdf&asdf=asdf"></script> Since in some weeeird cases that may be a vulnerability (its very dangerous anyway, since if you can make valid JS, you could probably make valid XML and load a crossdomain file for flash).. anyway, to be sure, only adding the exception for "/acs.js" should be safe. I ask this since if a user is already able to modify the content of a file in the same domain then he can probably make a XSS directly anyway.. and if it's not done this way, the attack of disabling essential scripts for the page will be difficult. This should reduce in some degree the attack scenario where an attacker disable scripts on the guest page.. also this should increase compatibility.. Test case: http://eaea.sirdarckcat.net/testhtml.html?disable_script=%3Cscript%20type=%22text/javascript%22%20src=%22acs.js%22%3E%3C/script%3E Greetings!!
Building / testing a patch now.
Created attachment 41162 [details] Patch v1
Comment on attachment 41162 [details] Patch v1 I don't understand the relationship of this patch with the bug title. Otherwise, it seems fine. > + // script. If the script has a query string, we're more suspicious, We use one space after a period, not two. r=me
Created attachment 41199 [details] patch without extra space Landing via commit-queue because my box is busy building / testing another patch.
Comment on attachment 41199 [details] patch without extra space Clearing flags on attachment: 41199 Committed r49605: <http://trac.webkit.org/changeset/49605>
All reviewed patches have been landed. Closing bug.