Bug 31098 - [XSSAuditor] Allow scripts and plug-ins from the same origin
Summary: [XSSAuditor] Allow scripts and plug-ins from the same origin
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: XSSAuditor
Depends on:
Blocks:
 
Reported: 2009-11-03 21:41 PST by Adam Barth
Modified: 2009-11-09 12:33 PST (History)
3 users (show)

See Also:


Attachments
Patch with test case (7.47 KB, patch)
2009-11-08 15:26 PST, Daniel Bates
abarth: review+
commit-queue: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2009-11-03 21:41:48 PST
I got a report today of a false positive with the XSSAuditor involving loading a SWF from a relative URL supplied in a request parameter.  We can eliminate this false positive by always allowing same-origin loads of scripts and plug-ins.  That should be pretty safe.
Comment 1 Daniel Bates 2009-11-04 13:58:02 PST
Adam, did you want to look into this? Otherwise, I can.
Comment 2 Adam Barth 2009-11-04 16:54:52 PST
If you could look into this, that would be great.  We want to do something similar to what we do for the base tag.
Comment 3 Daniel Bates 2009-11-08 15:26:54 PST
Created attachment 42721 [details]
Patch with test case

Since XSSAuditor::canLoadExternalScriptFromSrc, XSSAuditor::canLoadObject, and XSSAuditor::canSetBaseElementURL should all allow same-origin loads, I defined a new method XSSAuditor::isSameOriginResource, as opposed to inlining the same-origin check.
Comment 4 Adam Barth 2009-11-08 16:27:17 PST
Comment on attachment 42721 [details]
Patch with test case

Precisely.
Comment 5 WebKit Commit Bot 2009-11-08 16:39:10 PST
Comment on attachment 42721 [details]
Patch with test case

Rejecting patch 42721 from commit-queue.

Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--quiet', '--exit-after-n-failures=1']" exit_code: 1
Running build-dumprendertree
Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests
Testing 11577 test cases.
http/tests/security/xssAuditor/object-src-inject.html -> failed

Exiting early after 1 failures. 9065 tests run.
257.04s total testing time

9064 test cases (99%) succeeded
1 test case (<1%) had incorrect layout
5 test cases (<1%) had stderr output
Comment 6 Adam Barth 2009-11-08 16:44:57 PST
Dan, I think you'll have to land this manually because of the executable bit.
Comment 7 Daniel Bates 2009-11-08 16:50:00 PST
OK. Will do.
(In reply to comment #6)
> Dan, I think you'll have to land this manually because of the executable bit.
Comment 8 Daniel Bates 2009-11-08 17:18:41 PST
Committed r50631: <http://trac.webkit.org/changeset/50631>
Comment 9 Eric Seidel (no email) 2009-11-09 12:33:22 PST
svn-apply bug is bug 27204.