Bug 32570 - XSSAuditor breaks Gigya widgets
Summary: XSSAuditor breaks Gigya widgets
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL: http://bit.ly/4BFjGc
Keywords:
Depends on:
Blocks:
 
Reported: 2009-12-15 12:11 PST by Collin Jackson
Modified: 2010-01-01 17:54 PST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Collin Jackson 2009-12-15 12:11:26 PST
Gigya is widget advertising network. Their server takes a query parameter

src=http://apps.cooliris.com/embed/cooliris.swf...

and replies with

<embed src="http://apps.cooliris.com/embed/cooliris.swf" ...

XSSAuditor blocks this. Gigya appears to be using some sort of hash to validate the query parameters so this is probably a false positive.

I'm not sure how to fix it in WebKit other than allowing direct injections into the src attribute of an embed tag. Another option is to respect X-XSS-Protection (bug 27312) and then Gigya can opt out of XSSAuditor. We could also ask Gigya to obfuscate their query parameters to sneak pass XSSAuditor.
Comment 1 Adam Barth 2010-01-01 16:25:29 PST
I bet this is fixed now.  Can we re-test?
Comment 2 Collin Jackson 2010-01-01 17:54:11 PST
Verified fixed in the latest WebKit nightly (r52686).

Test URL: http://mturner.wordpress.com/2009/12/08/cooliris-express-bringing-the-wall-to-your-website/

I believe Adam fixed this in r52532. There is a regression test so we should be all set.