RESOLVED FIXED 32570
XSSAuditor breaks Gigya widgets 
https://bugs.webkit.org/show_bug.cgi?id=32570
Summary XSSAuditor breaks Gigya widgets
Collin Jackson
Reported 2009-12-15 12:11:26 PST
Gigya is widget advertising network. Their server takes a query parameter src=http://apps.cooliris.com/embed/cooliris.swf... and replies with <embed src="http://apps.cooliris.com/embed/cooliris.swf" ... XSSAuditor blocks this. Gigya appears to be using some sort of hash to validate the query parameters so this is probably a false positive. I'm not sure how to fix it in WebKit other than allowing direct injections into the src attribute of an embed tag. Another option is to respect X-XSS-Protection (bug 27312) and then Gigya can opt out of XSSAuditor. We could also ask Gigya to obfuscate their query parameters to sneak pass XSSAuditor.
Attachments
Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2010-01-01 16:25:29 PST
I bet this is fixed now. Can we re-test?
Collin Jackson
Comment 2 2010-01-01 17:54:11 PST
Verified fixed in the latest WebKit nightly (r52686). Test URL: http://mturner.wordpress.com/2009/12/08/cooliris-express-bringing-the-wall-to-your-website/ I believe Adam fixed this in r52532. There is a regression test so we should be all set.
Note You need to log in before you can comment on or make changes to this bug.