I got a report today of a false positive with the XSSAuditor involving loading a SWF from a relative URL supplied in a request parameter. We can eliminate this false positive by always allowing same-origin loads of scripts and plug-ins. That should be pretty safe.
Adam, did you want to look into this? Otherwise, I can.
If you could look into this, that would be great. We want to do something similar to what we do for the base tag.
Created attachment 42721 [details] Patch with test case Since XSSAuditor::canLoadExternalScriptFromSrc, XSSAuditor::canLoadObject, and XSSAuditor::canSetBaseElementURL should all allow same-origin loads, I defined a new method XSSAuditor::isSameOriginResource, as opposed to inlining the same-origin check.
Comment on attachment 42721 [details] Patch with test case Precisely.
Comment on attachment 42721 [details] Patch with test case Rejecting patch 42721 from commit-queue. Failed to run "['WebKitTools/Scripts/run-webkit-tests', '--no-launch-safari', '--quiet', '--exit-after-n-failures=1']" exit_code: 1 Running build-dumprendertree Running tests from /Users/eseidel/Projects/CommitQueue/LayoutTests Testing 11577 test cases. http/tests/security/xssAuditor/object-src-inject.html -> failed Exiting early after 1 failures. 9065 tests run. 257.04s total testing time 9064 test cases (99%) succeeded 1 test case (<1%) had incorrect layout 5 test cases (<1%) had stderr output
Dan, I think you'll have to land this manually because of the executable bit.
OK. Will do. (In reply to comment #6) > Dan, I think you'll have to land this manually because of the executable bit.
Committed r50631: <http://trac.webkit.org/changeset/50631>
svn-apply bug is bug 27204.