RESOLVED FIXED 49845
XSS Auditor severely affects loading performance after submitting a large form 
https://bugs.webkit.org/show_bug.cgi?id=49845
Summary XSS Auditor severely affects loading performance after submitting a large form
Alexey Proskuryakov
Reported Saturday, November 20, 2010 1:11:17 AM UTC
A certain enterprise application has severely degraded performance in Safari, and it turned out that this is due to XSSAuditor checks. The problem occurs after the application submits a form - the result loads really slow, beachballing Safari. This happens because the form is huge (about 170Kbytes). Creating a SuffixTree from it takes a long time. In addition, the tree isn't effectively cached (it's re-created each time you go from external script to inline script to an event listener attribute). Perhaps one doesn't need to create a SuffixTree if form data is longer than the script being executed? Or maybe there is an even better solution? Of course, one can disable XSS Auditor with HTTP headers as a temporary workaround. <rdar://problem/8546193>
Attachments
test case (1.71 KB, application/zip)
2011-01-18 14:18 PST, Alexey Proskuryakov 		no flags
Details
Patch (16.28 KB, patch)
2011-02-03 19:46 PST, Adam Barth 		dbates: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 Wednesday, December 1, 2010 8:53:56 PM UTC
If we cached the tree better, would that fix the issue?
Alexey Proskuryakov
Comment 2 Wednesday, December 1, 2010 8:59:53 PM UTC
The memory impact of having more than one copy of the tree doesn't appear negligible. Even one copy of a tree for a 170K form is probably not negligible.
Adele Peterson
Comment 3 Monday, January 17, 2011 11:32:10 PM UTC
We're seeing other reports of this slowness with internal website.
Adam Barth
Comment 4 Tuesday, January 18, 2011 12:10:07 AM UTC
Having a test case would be helpful here. I can try to create one based on the description in Comment #0. It seems like a reasonable first step is to improve the caching of the suffix tree.
Alexey Proskuryakov
Comment 5 Tuesday, January 18, 2011 10:18:08 PM UTC
Created attachment 79330 [details] test case I can't easily share or even access actual data from the internal web applications, but here is a synthetic test case. Works fast in Firefox, of course.
Adam Barth
Comment 6 Tuesday, January 18, 2011 10:25:34 PM UTC
Thanks Alexey.
Adam Barth
Comment 7 Tuesday, January 25, 2011 12:49:48 AM UTC
The proximate cause is that the CachingURLCanonicalizer isn't sufficiently associative. Alternating inline event handlers and inline script flips the decodeEntities bit back and forth, causing the cache to thrash. A short-term fix is to make the cache more associative. A long-term fix is to move to a new XSS detection architecture, which I've wanted to do for a while... I'm going to try for the short term fix first.
Adam Barth
Comment 8 Wednesday, January 26, 2011 6:43:32 PM UTC
We talked on IRC. I'm going to try the long-term fix first. I'll post incremental patches blocking this bug.
Adam Barth
Comment 9 Thursday, February 3, 2011 8:50:07 AM UTC
With the patches up through Bug 53665, this test case is now blazingly fast.
Adam Barth
Comment 10 Friday, February 4, 2011 3:46:39 AM UTC
Created attachment 81176 [details] Patch
Adam Barth
Comment 11 Friday, February 4, 2011 3:47:03 AM UTC
I'll add the PerformanceTest in a follow-up patch.
Daniel Bates
Comment 12 Friday, February 4, 2011 3:52:36 AM UTC
Comment on attachment 81176 [details] Patch r=me
Adam Barth
Comment 13 Friday, February 4, 2011 3:53:56 AM UTC
Some discussion in IRC: [7:50pm] dydz: abarth: Some of the expected results have more console messages than before... [7:50pm] abarth: yeah [7:50pm] abarth: that's because we block injected "type" attributes [7:51pm] abarth: for objects now too [7:51pm] abarth: in XSSAuditor, you could inject an object tag for Gears [7:51pm] abarth: for example [7:51pm] abarth: because that doesn't result in a load [7:51pm] abarth: whereas XSSFilter will block that [7:52pm] abarth: dydz: i think there's some kind of attack scenario there involving a plugin with a non-standard way of loading stuff [7:52pm] abarth: dydz: but i don't have a concrete example
Adam Barth
Comment 14 Friday, February 4, 2011 3:56:56 AM UTC
Committed r77588: <http://trac.webkit.org/changeset/77588>
Alexey Proskuryakov
Comment 15 Monday, February 14, 2011 7:47:51 PM UTC
> Of course, one can disable XSS Auditor with HTTP headers as a temporary workaround. Ugh, it turns that one cannot do that with WebKit as released with shipping Safari. XSSAuditor::findInRequest() only checks for X-XSS-Protection header after performing all time consuming operations!
Adam Barth
Comment 16 Monday, February 14, 2011 9:35:00 PM UTC
(In reply to comment #15) > > Of course, one can disable XSS Auditor with HTTP headers as a temporary workaround. > > Ugh, it turns that one cannot do that with WebKit as released with shipping Safari. XSSAuditor::findInRequest() only checks for X-XSS-Protection header after performing all time consuming operations! That's unfortunate. :( The new design shouldn't have that problem...
Note You need to log in before you can comment on or make changes to this bug.