<rdar://problem/7994854>

Works in r56294, fails in r56295.

The main resource has " X-Xss-Protection:1; mode=block".

(In reply to comment #0) > Observed with r59204 nightly. > > Steps to reproduce: > 1. Log in to Google Wave. > 2. Click "New Wave" at the right. > > Results: window navigates to about:blank. > Expected results: a new wave should appear at the right. I am unable to reproduce following the aforementioned steps with r59204 nightly and using my Google account. I tried resetting Safari (Safari->Reset Safari), then following the steps, to no avail. Do you happen to have a copy of the console messages when this occurred? Do you have any additional information on this issue?

It seems to only happen for some people, maybe Google serves different code versions? The link is <a href="javascript:;"> with some even listeners installed. Below is JS Console output: HTML WARN: The page at https://wave.google.com/wave/ displayed insecure content from http://lh3.ggpht.com/__n9uIWxqWWk/SwXq4UxcJjI/AAAAAAAAA9k/Jk0EV1lvgMc/s104-c/IMG_1611.jpg. HTML WARN: The page at https://wave.google.com/wave/ displayed insecure content from http://lh3.ggpht.com/__n9uIWxqWWk/SwXq4UxcJjI/AAAAAAAAA9k/Jk0EV1lvgMc/s104-c/IMG_1611.jpg. JS ERROR: Refused to execute a JavaScript script. Source code of script found within request. https://wave.google.com/wave/static/5DEB8B560FCA74C2AA4974967ED07055.cache.js:4218: JS ERROR: TypeError: Result of expression '(v.Y?$doc.getElementById(d):Upb(v,d))' [null] is not an object.

I know! I have a semicolon in my Google Wave password - this is why others can't reproduce.

Created attachment 56332 [details] Patch with test case Pass the schema portion of a JavaScript URL to the XSSAuditor as additional context.

Attachment 56332 [details] did not build on chromium: Build output: http://webkit-commit-queue.appspot.com/results/2287234

Comment on attachment 56332 [details] Patch with test case Need to add the equivalent changes to the v8 bindings.

Created attachment 56464 [details] Patch with test case Updated patch with changes to V8 bindings and added missing file "http/tests/security/xssAuditor/resources/javascript-link-safe.html".

Attachment 56464 [details] did not build on chromium: Build output: http://webkit-commit-queue.appspot.com/results/2273312

Created attachment 56473 [details] Patch with test case

Created attachment 56474 [details] Patch with test case Fixed V8 prototype for ScriptController::executeIfJavaScriptURL

Adam, is this something you'd be willing to review?

I'd be happy to. I'm at W2SP today, but I'll try to review it tonight.

Comment on attachment 56474 [details] Patch with test case Very nice.

Committed r60014: <http://trac.webkit.org/changeset/60014>

*** Bug 38137 has been marked as a duplicate of this bug. ***

Behaviour described in bug 39186 is still there in latest r60027.