Bug 54590 - Fix xssAuditor/form-action.html
Summary: Fix xssAuditor/form-action.html
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other OS X 10.5
: P2 Normal
Assignee: Adam Barth
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-16 14:47 PST by Adam Barth
Modified: 2011-02-17 12:28 PST (History)
4 users (show)

See Also:


Attachments
Patch (3.77 KB, patch)
2011-02-16 14:49 PST, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-02-16 14:47:36 PST
Fix xssAuditor/form-action.html
Comment 1 Adam Barth 2011-02-16 14:49:06 PST
Created attachment 82703 [details]
Patch
Comment 2 Eric Seidel (no email) 2011-02-16 14:51:53 PST
Comment on attachment 82703 [details]
Patch

That diff looks strange due to the file previously being empty.  But looks good.
Comment 3 WebKit Commit Bot 2011-02-16 20:01:14 PST
Comment on attachment 82703 [details]
Patch

Clearing flags on attachment: 82703

Committed r78780: <http://trac.webkit.org/changeset/78780>
Comment 4 WebKit Commit Bot 2011-02-16 20:01:19 PST
All reviewed patches have been landed.  Closing bug.
Comment 5 Alexey Proskuryakov 2011-02-17 10:54:55 PST
+        We should block form actions.  Although this technically can't be used
+        to run script, it's a pretty easy vector for stealing passwords.

Doesn't the error message get too confusing then?

+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
Comment 6 Adam Barth 2011-02-17 12:28:36 PST
Yep.  We should tailor the error message to what was blocked.